CVE-2024-40901: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-40901 affects the Linux kernel's SCSI subsystem, specifically in the mpt3sas driver. The vulnerability was discovered in July 2024 and involves a potential out-of-bounds memory access when using test_bit() operations on single word boundaries (NVD, Kernel Patch).

The vulnerability occurs when testbit() and setbit() functions operate on long values while testing or setting a single word, which can exceed the word boundary. The issue manifests in the scsihadd_device.constprop.0 function within the mpt3sas driver. KASAN (Kernel Address Sanitizer) detects this as a slab-out-of-bounds write of size 8 at specific memory addresses. The CVSS v3.1 base score is 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to out-of-bounds memory access in the Linux kernel's SCSI subsystem, potentially resulting in system crashes, information leaks, or privilege escalation in systems using the mpt3sas driver (NVD).

The fix involves ensuring that memory allocations are at least the size of sizeof(unsigned long) to provide sufficient room for setbit() and testbit() operations without overwriting unallocated memory. The patch has been merged into the Linux kernel and is available through various distribution updates (Kernel Patch).