]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit
projects / mirror_ubuntu-bionic-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: caf5708) | patch
libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
authorKees Cook <keescook@chromium.org>
Mon, 29 Jul 2019 21:47:22 +0000 (14:47 -0700)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Tue, 17 Sep 2019 16:02:18 +0000 (18:02 +0200)
commit1a4e334faf3dbd2c0a4869d9487ba2d9270b767a
tree2b4aa263f24fd524b7b39afa323ccbd3c5e15447tree
parentcaf5708da8e4cb0ab8195a2be7351816359cf6f4commit | diff
libata: zpodd: Fix small read overflow in zpodd_get_mech_type()

BugLink: https://bugs.launchpad.net/bugs/1841652
[ Upstream commit 71d6c505b4d9e6f76586350450e785e3d452b346 ]

Jeffrin reported a KASAN issue:

  BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
  Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
  ...
  The buggy address belongs to the variable:
    cdb.48319+0x0/0x40

Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
eject_tray()"), this fixes a cdb[] buffer length, this time in
zpodd_get_mech_type():

We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Reported-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Fixes: afe759511808c ("libata: identify and init ZPODD devices")
Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
drivers/ata/libata-zpodd.c diff | blob | blame | history
ubuntu-bionic-kernel mirror