6.15-stable review patch, vulnerability exists since v6.9

Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
The vulnerability is found by  is found by Wukong-Agent
 (formerly Tencent Woodpecker), a code security AI agent,
 through static code analysis. 

sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
Out-of-bounds read vulnerability exists in the
Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
The flaw occurs in the sd_read_block_limits_ext function
 when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
 responses from storage devices

A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
Memory Read, leading to potential system Instability 
and Driver State Corruption.


Signed-off-by: jackysliu <1972843537@qq.com>
---
 drivers/scsi/sd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 3f6e87705b62..eeaa6af294b8 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
 
 	rcu_read_lock();
 	vpd = rcu_dereference(sdkp->device->vpd_pgb7);
-	if (vpd && vpd->len >= 2)
+	if (vpd && vpd->len >= 6)
 		sdkp->rscs = vpd->data[5] & 1;
 	rcu_read_unlock();
 }
-- 
2.43.5

On 6/18/25 9:03 PM, jackysliu wrote:
> 6.15-stable review patch, vulnerability exists since v6.9
> 
> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
> The vulnerability is found by  is found by Wukong-Agent
>   (formerly Tencent Woodpecker), a code security AI agent,
>   through static code analysis.
> 
> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
> Out-of-bounds read vulnerability exists in the
> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
> The flaw occurs in the sd_read_block_limits_ext function
>   when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>   responses from storage devices
> 
> A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
> Memory Read, leading to potential system Instability
> and Driver State Corruption.

Reviewed-by: Bart Van Assche <bvanassche@acm.org>

On 15/07/2025 15:00, Bart Van Assche wrote:
> On 6/18/25 9:03 PM, jackysliu wrote:
>> 6.15-stable review patch, vulnerability exists since v6.9
>>
>> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
>> The vulnerability is found by  is found by Wukong-Agent
>>   (formerly Tencent Woodpecker), a code security AI agent,
>>   through static code analysis.
>>
>> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
>> Out-of-bounds read vulnerability exists in the
>> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
>> The flaw occurs in the sd_read_block_limits_ext function
>>   when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>>   responses from storage devices
>>
>> A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
>> Memory Read, leading to potential system Instability
>> and Driver State Corruption.
> 
> Reviewed-by: Bart Van Assche <bvanassche@acm.org>

Just checking - are you sure? Please be careful with this work, that's
AI generated stuff which in some cases did not even compile or did not
actually follow C code.

Best regards,
Krzysztof

On 7/15/25 8:36 AM, Krzysztof Kozlowski wrote:
> On 15/07/2025 15:00, Bart Van Assche wrote:
>> On 6/18/25 9:03 PM, jackysliu wrote:
>>> 6.15-stable review patch, vulnerability exists since v6.9
>>>
>>> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
>>> The vulnerability is found by  is found by Wukong-Agent
>>>    (formerly Tencent Woodpecker), a code security AI agent,
>>>    through static code analysis.
>>>
>>> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
>>> Out-of-bounds read vulnerability exists in the
>>> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
>>> The flaw occurs in the sd_read_block_limits_ext function
>>>    when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>>>    responses from storage devices
>>>
>>> A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
>>> Memory Read, leading to potential system Instability
>>> and Driver State Corruption.
>>
>> Reviewed-by: Bart Van Assche <bvanassche@acm.org>
> 
> Just checking - are you sure? Please be careful with this work, that's
> AI generated stuff which in some cases did not even compile or did not
> actually follow C code.

As one can see here, an in-depth review was performed before I replied
with "Reviewed-by":
https://lore.kernel.org/linux-scsi/07c4c84d-0c52-4843-b32d-6806e58892fe@acm.org/

Bart.

On Fri, Jul 11 2025 08:51:30 +0200, greg k-h wrote:

>Yes, and then look to see what buf_len (not buflen) in
>gen_ndis_set_resp() is used for.  I'll wait... :)
Oh,my bad.It seem that buf_len will only be used for some debugging code..

>What tool generated this static analysis?  You always have to mention
>that as per our development rules.
The vulnerability is found by  is found by Wukong-Agent, a code security AI agent,
 through static code analysis.But It seems that this is a false positive..

And what qemu setup did you use to test this?  That would be helpful to
know so that I can verify it on my end.

I'll add some web-usb device to test this model.But seems that I went into a wrong way.

Thanks

Siyang Liu