CVE-2025-21738

reveliofuzzing reported that a SCSIIOCTLSENDCOMMAND ioctl with outlen set to 0xd42, SCSI command set to ATA16 PASS-THROUGH, ATA command set to ATANOP, and protocol set to ATAPROTPIO, can cause atapiosector() to write outside the allocated buffer, overwriting random memory.

While a ATA device is supposed to abort a ATANOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by atasffhsmmove(). Anyway, that is most likely a separate bug.

Looking at __atapipiobytes(), it already has a safety check to ensure that __atapipiobytes() cannot write outside the allocated buffer.

Add a similar check to atapiosector(), such that also atapiosector() cannot write outside the allocated buffer.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21738.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5a5dbd18a7496ed403f6f54bb20c955c65482fa5

Fixed

a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c

Fixed

d5e6e3000309359eae2a17117aa6e3c44897bf6c

Fixed

0dd5aade301a10f4b329fa7454fdcc2518741902

Fixed

0a17a9944b8d89ef03946121241870ac53ddaf45

Fixed

6e74e53b34b6dec5a50e1404e2680852ec6768d2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21738.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.22

Fixed

6.1.129

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.78

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.14

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21738.json"