CVE-2023-53320

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()<br /> <br /> The function mpi3mr_get_all_tgt_info() has four issues:<br /> <br /> 1) It calculates valid entry length in alltgt_info assuming the header part<br /> of the struct mpi3mr_device_map_info would equal to sizeof(u32). The<br /> correct size is sizeof(u64).<br /> <br /> 2) When it calculates the valid entry length kern_entrylen, it excludes one<br /> entry by subtracting 1 from num_devices.<br /> <br /> 3) It copies num_device by calling memcpy(). Substitution is enough.<br /> <br /> 4) It does not specify the calculated length to sg_copy_from_buffer().<br /> Instead, it specifies the payload length which is larger than the<br /> alltgt_info size. It causes "BUG: KASAN: slab-out-of-bounds".<br /> <br /> Fix the issues by using the correct header size, removing the subtraction<br /> from num_devices, replacing the memcpy() with substitution and specifying<br /> the correct length to sg_copy_from_buffer().