OESA-2025-1648

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: Fix WRITE_SAME No Data Buffer crash

In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sgwritesame --ndob" we will crash in targetcoreiblock/file's executewritesame handlers when we go to access the secmd->tdata_sg because its NULL.

This patch adds a check for the NDOB bit in the common WRITE SAME code because we don't support it. And, it adds a check for zero SG elements in each handler in case the initiator tries to send a normal WRITE SAME with no data buffer.(CVE-2022-21546)

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: ipc: Fix potential use-after-free in work function

When a reset notify IPC message is received, the ISR schedules a work function and passes the ISHTP device to it via a global pointer ishtpdev. If ishprobe() fails, the devm-managed device resources including ishtpdev are freed, but the work is not cancelled, causing a use-after-free when the work function tries to access ishtpdev. Use devmworkautocancel() instead, so that the work is automatically cancelled if probe fails.(CVE-2023-53039)

In the Linux kernel, the following vulnerability has been resolved:

KVM: Explicitly verify target vCPU is online in kvmgetvcpu()

Explicitly verify the target vCPU is fully online prior to clamping the index in kvmgetvcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL.

In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor.

However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed.

As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvmvmioctlcreatevcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpuarray[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpuarray[0] UAF race.(CVE-2024-58083)

In the Linux kernel, the following vulnerability has been resolved:

usb: cdc-acm: Check control transfer buffer size before access

If the first fragment is shorter than struct usbcdcnotification, we can't calculate an expectedsize. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expectedsize decreases between fragments, causing expected_size - acm->nb_index to wrap.

This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications").

A mitigating factor is that acmctrlirq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.(CVE-2025-21704)