CVE-2025-40118
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when device is gone") UBSAN reports:
UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]'
on rmmod when using an expander.
For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id.
I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander).
E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30.
The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander.
Thus, we can only clear phy_attached for devices that are directly attached.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 05b512879eab41faa515b67fa3896d0005e97909 < d94be0a6ae9ade706d4270e740bdb4f79953a7fc | affected |
| Linux | Linux | bc2140c8136200b4437e1abc0fb659968cb9baab < 45acbf154befedd9bc135f5e031fe7855d1e6493 | affected |
| Linux | Linux | 1d8f9378cb4800c18e20d80ecd605b2b93e87a03 < eef5ef400893f8e3dbb09342583be0cdc716d566 | affected |
| Linux | Linux | 30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a < 9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582 | affected |
| Linux | Linux | a862d24e1fc3ab1b5e5f20878d2898cea346d0ec < e62251954a128a2d0fcbc19e5fa39e08935bb628 | affected |
| Linux | Linux | 0f9802f174227f553959422f844eeb9ba72467fe < 9326a1541e1b7ed3efdbab72061b82cf01c6477a | affected |
| Linux | Linux | f7b705c238d1483f0a766e2b20010f176e5c0fb7 < 83ced3c206c292458e47c7fac54223abc7141585 | affected |
| Linux | Linux | f7b705c238d1483f0a766e2b20010f176e5c0fb7 < 251be2f6037fb7ab399f68cd7428ff274133d693 | affected |
| Linux | Linux | 722026c010fa75bcf9e2373aff1d7930a3d7e3cf | affected |
| Linux | Linux | 5.4.293 < 5.4.301 | affected |
| Linux | Linux | 5.10.237 < 5.10.246 | affected |
| Linux | Linux | 5.15.181 < 5.15.195 | affected |
| Linux | Linux | 6.1.136 < 6.1.156 | affected |
| Linux | Linux | 6.6.89 < 6.6.112 | affected |
| Linux | Linux | 6.12.26 < 6.12.53 | affected |
| Linux | Linux | 6.14.5 < 6.15 | affected |
| Linux | Linux | 6.15 | affected |
| Linux | Linux | 0 < 6.15 | unaffected |
| Linux | Linux | 5.4.301 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.246 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.195 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.156 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.112 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.53 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.3 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc
- https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493
- https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566
- https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582
- https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628
- https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a
- https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585
- https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.