CVE-2024-36920 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Avoid memcpy field-spanning write WARNING
When the "storcli2 show" command is executed for eHBA-9600, mpi3mr driver prints this WARNING message:
memcpy: detected field-spanning write (size 128) of single field "bsg_reply_buf->reply_buf" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1) WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]
The cause of the WARN is 128 bytes memcpy to the 1 byte size array "__u8 replay_buf[1]" in the struct mpi3mr_bsg_in_reply_buf. The array is intended
to be a flexible length array, so the WARN is a false positive.
To suppress the WARN, remove the constant number '1' from the array declaration and clarify that it has flexible length. Also, adjust the memory allocation size to match the change.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/01/2025
The vulnerability CVE-2024-36920 affects the Linux kernel's mpi3mr SCSI driver implementation specifically when processing commands from the storcli2 utility for eHBA-9600 storage controllers. This issue manifests as a false positive memory warning during the execution of the "storcli2 show" command, which is commonly used for storage array management and monitoring. The warning originates from the kernel's memory management subsystem and indicates a potential field-spanning write condition that could signal underlying memory corruption or improper memory access patterns. The mpi3mr driver is responsible for managing Mellanox MPI3-based storage controllers and handles various background service requests through the BSG (Block Generic Services) interface.
The technical root cause involves an improper array declaration within the mpi3mr_bsg_in_reply_buf structure where a flexible length array is incorrectly defined with a fixed size of one byte. Specifically, the array __u8 replay_buf[1] is intended to serve as a flexible array member that can accommodate variable data sizes, but the current declaration triggers kernel memory safety checks that incorrectly interpret this as a field-spanning write operation. The memcpy operation attempts to copy 128 bytes of data into what the kernel's static analysis tools perceive as a single-byte buffer, generating the warning message that includes the exact line number and memory location where the issue occurs. This represents a classic case of improper flexible array handling in kernel space code, where the kernel's memory safety mechanisms are overly conservative in their interpretation of array boundaries.
The operational impact of this vulnerability is primarily limited to generating false positive warning messages in kernel logs rather than causing actual system instability or data corruption. However, the warning message can clutter system logs and potentially mask genuine memory safety issues that administrators might overlook during security assessments or incident response activities. The vulnerability affects systems running the Linux kernel with the mpi3mr driver loaded, particularly those managing Mellanox storage controllers through the storcli2 management interface. While the actual functionality of the driver remains intact, the excessive warning messages can impact system monitoring and logging effectiveness, potentially interfering with automated security monitoring systems that rely on clean kernel log output for threat detection.
The fix implemented addresses the core issue by removing the artificial constraint of a fixed array size and properly declaring the array as a flexible length member. This change requires adjusting the memory allocation size to properly accommodate the flexible array's actual usage patterns while maintaining the driver's intended functionality. The solution aligns with kernel development best practices for flexible array handling and follows established patterns used throughout the Linux kernel codebase for similar memory management scenarios. The mitigation approach ensures that the driver can properly handle variable-length data transfers while eliminating the false positive warning conditions that could confuse system administrators or security analysts during routine monitoring activities.
This vulnerability type relates to CWE-467: Use of sizeof() on a Pointer Type and CWE-476: NULL Pointer Dereference, though the specific manifestation is more closely aligned with improper flexible array handling in kernel space. The issue demonstrates how kernel memory safety mechanisms can sometimes produce false positives when dealing with legitimate flexible array patterns, highlighting the importance of proper kernel code review practices and adherence to kernel development guidelines. From an ATT&CK perspective, this vulnerability does not directly enable privilege escalation or lateral movement but could potentially impact system availability through log flooding or interfere with security monitoring capabilities that depend on clean system logs for threat detection and analysis.