In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
There is a potential out-of-bounds access when using testbit() on a single word. The testbit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump:
BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
For full log, please look at [1].
Make the allocation at least the size of sizeof(unsigned long) so that setbit() and testbit() have sufficient room for read/write operations without overwriting unallocated memory.
[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/
[
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-065bfeb0",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9079338c5a0d1f1fee34fb1c9e99b754efe414c5",
"signature_type": "Line"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-104276d9",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4254dfeda82f20844299dca6c38cbffcfd499f41",
"signature_type": "Function"
},
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-1e95494f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4254dfeda82f20844299dca6c38cbffcfd499f41",
"signature_type": "Line"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-38227fea",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@521f333e644c4246ca04a4fc4772edc53dd2a801",
"signature_type": "Function"
},
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-4d9579ed",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@521f333e644c4246ca04a4fc4772edc53dd2a801",
"signature_type": "Line"
},
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-620a095e",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee",
"signature_type": "Line"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-69179bb0",
"digest": {
"function_hash": "311942546469269711721945656121613435658",
"length": 7478.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee",
"signature_type": "Function"
},
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-693a0aa4",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@18abb5db0aa9b2d48f7037a88b41af2eef821674",
"signature_type": "Line"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-6d097b27",
"digest": {
"function_hash": "337710878447191012718585144875474319196",
"length": 8583.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@19649e49a6df07cd2e03e0a11396fd3a99485ec2",
"signature_type": "Function"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-72d620bc",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16",
"signature_type": "Function"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-75142be6",
"digest": {
"function_hash": "106892036857831055276149483173955169803",
"length": 8722.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16",
"signature_type": "Function"
},
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-7693a396",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46bab2bcd771e725ff5ca3a68ba68cfeac45676c",
"signature_type": "Line"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-77a59126",
"digest": {
"function_hash": "326558388771646364405114407826242106061",
"length": 8776.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46bab2bcd771e725ff5ca3a68ba68cfeac45676c",
"signature_type": "Function"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-7f44241a",
"digest": {
"function_hash": "326558388771646364405114407826242106061",
"length": 8776.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4254dfeda82f20844299dca6c38cbffcfd499f41",
"signature_type": "Function"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-8a9860a6",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9bce7c751f6d6c7be88c0bc081a66aaf61a23ee",
"signature_type": "Function"
},
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-96ce3329",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0081d2b3ae0a17a86b8cc0fa3c8bdc54e233ba16",
"signature_type": "Line"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-9aa25dec",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9079338c5a0d1f1fee34fb1c9e99b754efe414c5",
"signature_type": "Function"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-aa9044d0",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46bab2bcd771e725ff5ca3a68ba68cfeac45676c",
"signature_type": "Function"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-b1032e85",
"digest": {
"function_hash": "326558388771646364405114407826242106061",
"length": 8776.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9079338c5a0d1f1fee34fb1c9e99b754efe414c5",
"signature_type": "Function"
},
{
"target": {
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-b48134ca",
"digest": {
"threshold": 0.9,
"line_hashes": [
"206976408184080250797400897375841226700",
"275355555329948033364376738999710259784",
"270515446666273326084820694376340032876",
"164961317032479086701877437415437253160",
"103507886980611359047367175689487457721",
"67582876633024663101501382204658995360",
"169744509790671527533762628706931637954",
"285411242503113162249307657918241069612",
"117869220024805509705282779931148525765",
"200141485440463621726633800778592985426",
"264751330205972735221131640676948122831"
]
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@19649e49a6df07cd2e03e0a11396fd3a99485ec2",
"signature_type": "Line"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-bdf56c83",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@18abb5db0aa9b2d48f7037a88b41af2eef821674",
"signature_type": "Function"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-d0639721",
"digest": {
"function_hash": "326558388771646364405114407826242106061",
"length": 8776.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@18abb5db0aa9b2d48f7037a88b41af2eef821674",
"signature_type": "Function"
},
{
"target": {
"function": "_base_check_ioc_facts_changes",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-d56178be",
"digest": {
"function_hash": "241212979529959962772910839804838549510",
"length": 1698.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@19649e49a6df07cd2e03e0a11396fd3a99485ec2",
"signature_type": "Function"
},
{
"target": {
"function": "mpt3sas_base_attach",
"file": "drivers/scsi/mpt3sas/mpt3sas_base.c"
},
"id": "CVE-2024-40901-dbc9d1d9",
"digest": {
"function_hash": "326558388771646364405114407826242106061",
"length": 8776.0
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@521f333e644c4246ca04a4fc4772edc53dd2a801",
"signature_type": "Function"
}
]