CVE-2025-21738

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-sff: Ensure that we cannot write outside the allocated buffer<br /> <br /> reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len<br /> set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to<br /> ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to<br /> write outside the allocated buffer, overwriting random memory.<br /> <br /> While a ATA device is supposed to abort a ATA_NOP command, there does seem<br /> to be a bug either in libata-sff or QEMU, where either this status is not<br /> set, or the status is cleared before read by ata_sff_hsm_move().<br /> Anyway, that is most likely a separate bug.<br /> <br /> Looking at __atapi_pio_bytes(), it already has a safety check to ensure<br /> that __atapi_pio_bytes() cannot write outside the allocated buffer.<br /> <br /> Add a similar check to ata_pio_sector(), such that also ata_pio_sector()<br /> cannot write outside the allocated buffer.