Jeffrin reported a KASAN issue:
BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
...
The buggy address belongs to the variable:
cdb.48319+0x0/0x40
Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
eject_tray()"), this fixes a cdb[] buffer length, this time in
zpodd_get_mech_type():
We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
Reported-by: Jeffrin Jose T <[email protected]>
Fixes: afe759511808c ("libata: identify and init ZPODD devices")
Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/
Tested-by: Jeffrin Jose T <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
---
v2: added reported/tested-by and direct to Jens
---
drivers/ata/libata-zpodd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
index 173e6f2dd9af..eefda51f97d3 100644
--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -56,7 +56,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
unsigned int ret;
struct rm_feature_desc *desc;
struct ata_taskfile tf;
- static const char cdb[] = { GPCMD_GET_CONFIGURATION,
+ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_GET_CONFIGURATION,
2, /* only 1 feature descriptor requested */
0, 3, /* 3, removable medium feature */
0, 0, 0,/* reserved */
--
2.17.1
--
Kees Cook
On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <[email protected]> wrote:
>
> On 7/29/19 3:47 PM, Kees Cook wrote:
> > Jeffrin reported a KASAN issue:
> >
> > BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> > Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> > ...
> > The buggy address belongs to the variable:
> > cdb.48319+0x0/0x40
> >
> > Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> > eject_tray()"), this fixes a cdb[] buffer length, this time in
> > zpodd_get_mech_type():
> >
> > We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> > ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
>
> Applied, thanks.
Dropped my reviewed by tag. :(
https://lkml.org/lkml/2019/7/22/865
--
Thanks,
~Nick Desaulniers
On 7/29/19 3:58 PM, Nick Desaulniers wrote:
> On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <[email protected]> wrote:
>>
>> On 7/29/19 3:47 PM, Kees Cook wrote:
>>> Jeffrin reported a KASAN issue:
>>>
>>> BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
>>> Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
>>> ...
>>> The buggy address belongs to the variable:
>>> cdb.48319+0x0/0x40
>>>
>>> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
>>> eject_tray()"), this fixes a cdb[] buffer length, this time in
>>> zpodd_get_mech_type():
>>>
>>> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
>>> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
>>
>> Applied, thanks.
>
> Dropped my reviewed by tag. :(
> https://lkml.org/lkml/2019/7/22/865
I'll add it.
--
Jens Axboe
On 7/29/19 3:47 PM, Kees Cook wrote:
> Jeffrin reported a KASAN issue:
>
> BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> ...
> The buggy address belongs to the variable:
> cdb.48319+0x0/0x40
>
> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> eject_tray()"), this fixes a cdb[] buffer length, this time in
> zpodd_get_mech_type():
>
> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
Applied, thanks.
--
Jens Axboe
On Mon, Jul 29, 2019 at 04:00:08PM -0600, Jens Axboe wrote:
> On 7/29/19 3:58 PM, Nick Desaulniers wrote:
> > On Mon, Jul 29, 2019 at 2:55 PM Jens Axboe <[email protected]> wrote:
> >>
> >> On 7/29/19 3:47 PM, Kees Cook wrote:
> >>> Jeffrin reported a KASAN issue:
> >>>
> >>> BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
> >>> Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
> >>> ...
> >>> The buggy address belongs to the variable:
> >>> cdb.48319+0x0/0x40
> >>>
> >>> Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
> >>> eject_tray()"), this fixes a cdb[] buffer length, this time in
> >>> zpodd_get_mech_type():
> >>>
> >>> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> >>> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
> >>
> >> Applied, thanks.
> >
> > Dropped my reviewed by tag. :(
> > https://lkml.org/lkml/2019/7/22/865
Argh, sorry!
> I'll add it.
Thanks! :)
--
Kees Cook