logo_clicknbuy.png

CVE-2025-21656 – Linux drivetemp SCSI Error Code Injection Vulnerability

The following table lists the changes that have been made to the
CVE-2025-21656 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jan. 21, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur

    scsi_execute_cmd() function can return both negative (linux codes) and
    positive (scsi_cmnd result field) error codes.

    Currently the driver just passes error codes of scsi_execute_cmd() to
    hwmon core, which is incorrect because hwmon only checks for negative
    error codes. This leads to hwmon reporting uninitialized data to
    userspace in case of SCSI errors (for example if the disk drive was
    disconnected).

    This patch checks scsi_execute_cmd() output and returns -EIO if it’s
    error code is positive.

    [groeck: Avoid inline variable declaration for portability]
    Added Reference https://git.kernel.org/stable/c/42268d885e44af875a6474f7bba519cc6cea6a9d
    Added Reference https://git.kernel.org/stable/c/53e25b10a28edaf8c2a1d3916fd8929501a50dfc
    Added Reference https://git.kernel.org/stable/c/82163d63ae7a4c36142cd252388737205bb7e4b9
Share the Post:

Related Posts