Bug 2395866 (CVE-2023-53320) - CVE-2023-53320 kernel: scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()
Summary: CVE-2023-53320 kernel: scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()
Keywords:
Status: NEW
Alias: CVE-2023-53320
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-16 17:02 UTC by OSIDB Bzimport
Modified: 2025-09-16 18:28 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-16 17:02:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()

The function mpi3mr_get_all_tgt_info() has four issues:

1) It calculates valid entry length in alltgt_info assuming the header part
   of the struct mpi3mr_device_map_info would equal to sizeof(u32).  The
   correct size is sizeof(u64).

2) When it calculates the valid entry length kern_entrylen, it excludes one
   entry by subtracting 1 from num_devices.

3) It copies num_device by calling memcpy(). Substitution is enough.

4) It does not specify the calculated length to sg_copy_from_buffer().
   Instead, it specifies the payload length which is larger than the
   alltgt_info size. It causes "BUG: KASAN: slab-out-of-bounds".

Fix the issues by using the correct header size, removing the subtraction
from num_devices, replacing the memcpy() with substitution and specifying
the correct length to sg_copy_from_buffer().
Comment 1 Jon Moroney 2025-09-16 18:25:11 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091644-CVE-2023-53320-d419@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.