Linux Kernel SCSI PM80XX Array Index Out-of-Bounds Vulnerability

A vulnerability in the Linux kernel's SCSI PM80XX driver has been identified, where the removal of a device connected through an expander can lead to an array index out-of-bounds error. This issue arises because the driver's handling of physical (phy) IDs for devices behind an expander is incorrect, allowing for an out-of-bounds access when the expander has more physical IDs than the host bus adapter (HBA) can accommodate. The problem was introduced in a previous commit and affects the management of phy attachments for devices behind expanders.

Impact

The vulnerability can cause a kernel panic due to an array index out-of-bounds error, which can lead to a denial of service.

Reproduction

To reproduce this vulnerability, connect a device expander to a port of a SCSI controller using the PM80XX driver. Ensure that the expander has more physical IDs than the host bus adapter can handle. Then, remove a device that is connected through the expander. This will trigger the array index out-of-bounds error, as the driver incorrectly attempts to access physical IDs that are out of range.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.