Linux Kernel SCSI sg Command Handling Vulnerability on Removed Devices

A vulnerability in the Linux kernel's SCSI subsystem was introduced by a change in how the 'sg' driver handles commands for devices that are removed while still in use. When a SCSI device is disconnected, the 'sg' driver currently returns an error indicating the device is no longer available. This can lead to issues with commands using direct I/O, as the data buffer may still be in use by the kernel when userspace attempts to free or reuse it. This can result in corrupted memory or data being improperly sent to the device. The vulnerability has been observed when logging out of an iSCSI session, where the iSCSI driver may still be processing commands after the device has been marked for removal.

Impact

The vulnerability can lead to memory corruption in userspace or data corruption when writing to a device.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this vulnerability has been patched.