Overview
CVE-2025-40259 addresses a vulnerability in the Linux kernel’s SCSI generic (sg) driver. Specifically, the issue stems from the sg_finish_rem_req() function potentially calling blk_rq_unmap_user() in an atomic context. blk_rq_unmap_user() can sleep, which is prohibited in atomic contexts. This could lead to kernel panics and system instability.
Technical Details
The vulnerability arises within the sg_finish_rem_req() function of the SCSI SG driver. This function is responsible for finishing requests. Previously, it was called with interrupts disabled. The core of the problem lies in the fact that sg_finish_rem_req() calls blk_rq_unmap_user(), which is capable of sleeping. In the kernel, ‘atomic context’ means a section of code where interrupts are disabled, and thus sleeping is forbidden. Attempting to sleep in atomic context triggers a kernel panic.
The fix involves ensuring that sg_finish_rem_req() is called with interrupts enabled, allowing blk_rq_unmap_user() to safely sleep if necessary.
CVSS Analysis
The CVE entry reports the severity and CVSS score as N/A. This suggests that while the bug could lead to system instability (kernel panic), there is no associated way for an attacker to directly trigger this from userspace or over the network. Therefore, its exploitability is limited and the security impact is considered low in many scenarios.
Possible Impact
The primary impact of this vulnerability is a potential kernel panic, leading to system downtime and data loss if the system is actively performing I/O operations. While a direct exploit might be difficult, the instability caused by the bug is a concern for systems heavily reliant on the SCSI subsystem, especially those with specific configurations that make the vulnerable code path more likely to be executed.
Mitigation or Patch Steps
The recommended mitigation is to apply the relevant kernel patches that address this issue. These patches are available in various stable kernel branches. Updating to a kernel version containing these patches will resolve the vulnerability. Here’s the core change implemented:
- Enable interrupts before calling
sg_finish_rem_req().
Alternatively, if patching is not immediately feasible, monitoring system logs for kernel panics related to the SCSI subsystem might provide early warning signs of this issue manifesting.
References
- https://git.kernel.org/stable/c/11eeee00c94d770d4e45364060b5f1526dfe567b
- https://git.kernel.org/stable/c/6983d8375c040bb449d2187f4a57a20de01244fe
- https://git.kernel.org/stable/c/90449f2d1e1f020835cba5417234636937dd657e
- https://git.kernel.org/stable/c/b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f
- https://git.kernel.org/stable/c/b343cee5df7e750d9033fba33e96fc4399fa88a5
