Linux Kernel SCSI SES Slab-Out-Of-Bounds Vulnerability in Enclosure Data Processing

A slab-out-of-bounds vulnerability has been identified in the Linux kernel's SCSI SES (SCSI Enclosure Services) subsystem. This issue arises in the function 'ses_enclosure_data_process', where the additional descriptor pointer is not properly sanitized before being accessed. The vulnerability was exposed by a task running 'systemd-udevd', leading to a read of size 1 from an invalid memory address. The flaw has been addressed by ensuring that the size is validated before the first access to the additional descriptor pointer, preventing the function from reading beyond the end of the allocated memory page.

Impact

Exploitation of this vulnerability could lead to memory corruption, allowing for potential arbitrary code execution or causing a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by triggering the 'ses_enclosure_data_process' function in the SCSI SES subsystem. This can be done by using a SCSI device that supports enclosure services and has additional descriptors that can be processed. The 'systemd-udevd' task will then read the invalid memory address, causing the slab-out-of-bounds condition.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Git Repository under the Stable branch. Instructions for downloading the latest stable kernel can be found in the official Linux kernel documentation.