CVE-2025-21873

Summary

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: bsg: Fix crash when arpmb command fails

If the device doesn't support arpmb we'll crash due to copying user data in bsg_transport_sg_io_fn().

In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not set the job's reply_len.

Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22

4,1308,531166555,-;Call Trace:

4,1309,531166559,-; <TASK>

4,1310,531166565,-; ? show_regs+0x6d/0x80

4,1311,531166575,-; ? die+0x37/0xa0

4,1312,531166583,-; ? do_trap+0xd4/0xf0

4,1313,531166593,-; ? do_error_trap+0x71/0xb0

4,1314,531166601,-; ? usercopy_abort+0x6c/0x80

4,1315,531166610,-; ? exc_invalid_op+0x52/0x80

4,1316,531166622,-; ? usercopy_abort+0x6c/0x80

4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20

4,1318,531166643,-; ? usercopy_abort+0x6c/0x80

4,1319,531166652,-; __check_heap_object+0xe3/0x120

4,1320,531166661,-; check_heap_object+0x185/0x1d0

4,1321,531166670,-; __check_object_size.part.0+0x72/0x150

4,1322,531166679,-; __check_object_size+0x23/0x30

4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0

Affected Software

VendorProductVersion RangeStatus
LinuxLinux6ff265fc5ef660499e0edc4641647e99eed3f519 < 32fb5ec825f6f76bc28902181c65429a904a07feaffected
LinuxLinux6ff265fc5ef660499e0edc4641647e99eed3f519 < 59455f968c1004ed897ba873237657745d81ce0faffected
LinuxLinux6ff265fc5ef660499e0edc4641647e99eed3f519 < 7e3c96ff5c5f3206984ed077b2aa8c9b7c4e0327affected
LinuxLinux6ff265fc5ef660499e0edc4641647e99eed3f519 < f27a95845b01e86d67c8b014b4f41bd3327daa63affected
LinuxLinux6.3affected
LinuxLinux0 < 6.3unaffected
LinuxLinux6.6.81 <= 6.6.*unaffected
LinuxLinux6.12.18 <= 6.12.*unaffected
LinuxLinux6.13.6 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

References