Linux Kernel SCSI MPI3MR Driver Slab-Out-Of-Bounds Vulnerability

A vulnerability in the Linux kernel's SCSI MPI3MR driver has been addressed. The issue originated in the 'mpi3mr_get_all_tgt_info()' function, which improperly calculated the length of target information entries. It assumed the header size of a specific structure was equal to the size of a 32-bit integer, when it should have been the size of a 64-bit integer. Additionally, the function incorrectly subtracted one from the number of devices when calculating entry lengths, used 'memcpy()' to copy device counts when a simple assignment would suffice, and failed to specify the correct length for data being copied from a buffer, leading to a 'slab-out-of-bounds' error. These issues have been fixed by adjusting the header size, correcting the entry length calculation, replacing 'memcpy()' with direct assignments, and ensuring the proper length is communicated to the buffer copy function.

Impact

The vulnerability could lead to a 'slab-out-of-bounds' error, causing memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.