Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp5214591ybl; Tue, 27 Aug 2019 00:55:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqywxuv8iaqORMLO3tDGRWlS7J9RuTCATJnpy3lLyyCJjVJ9PM6QcqoWcSWCChfYSSxLzApk X-Received: by 2002:a63:8dc9:: with SMTP id z192mr19666951pgd.151.1566892524034; Tue, 27 Aug 2019 00:55:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566892524; cv=none; d=google.com; s=arc-20160816; b=QyYul9KrgVWKWtmnB0dY05/6Q/3DygnehJjtCsmyaaY7P87khPreHM7YGWxGpRo87w 69B/RU+rBra99xe68X+8AmjlFzLKZBE5Uwr2KSGHI3K27t09wdw9fry5gbhfPk2nKFB0 pYEegHNtkjhMR/vGyGAX61neJjbnWr0XlrmVOqWsqbjNBapCiYBnrmufUqoNWONxTQA8 LqxHa14TKMyB37zVNSPRFfCdkzeBaw2wX/65sNtOXMmCxaGvNulc5LeGRj0wQ4mu7neY hKnuLvS9zpKUBDWQjYu3VKZXuC9gin7E/H95uZI5zwd1LScr8Tn6//4kECr9yRg69lbh idrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dcPeZanvnUqR8PiNwk+o22KvHBrBlGn/OZ2CQDiwy+Y=; b=KLEkcU3/JKh4rf6taP62+6mV1EyM8lU8UkNyTVTW82xLxYwCiGM2IAeRvCWeVJ+wiK g/sytTqzAH4nv7J/Fmb/Br22ogPywegO39iXB53RscWs8RljZpYDeXtOdTdnBSjjertw pM8u+Vfbb1cpcsfXgntNX92/5FldP0D9vsW+UUi7EDIU3VE1F3LTwnsSPqtsIDL3rYI2 KSAucLofRpMNKBEO4Qkk0jS2YrpHP1OS0SUxamPcaBSLiwUOQCOxQRu7serVlxv1qTm8 0EQSkFG/nD6uM/DzSW6x7H5p8UMmwC3Jo52t7UNm6qcbJI0e8W8JQQ/pwz8m3mB2YxfY bbeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GwIiqZm1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2si13650629pfq.160.2019.08.27.00.55.09; Tue, 27 Aug 2019 00:55:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GwIiqZm1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729575AbfH0Hwo (ORCPT + 99 others); Tue, 27 Aug 2019 03:52:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:44092 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729543AbfH0Hwl (ORCPT ); Tue, 27 Aug 2019 03:52:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3F56A206BA; Tue, 27 Aug 2019 07:52:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566892360; bh=/KOK3OH48vC2VItYTbJKiYMJWE2BEQfRSMdBrCQG9Tw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GwIiqZm1WMIjd81MgFnwFV3ZlFg1RKCAuK0rhMm9fIbSFVuSCzhDSw0qxB2g4utko kzPayiEstfmuZX3gf5TeFgFD/Qi0YVgFuwdMoI8s7TShY/hyECFKQYa+bSgjGKjHzD yzDZd699E3+ivPOkz8WvjhCwbnaEjrRqEedFbKHo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Krishna Ram Prakash R , Kees Cook , Jens Axboe , Sasha Levin Subject: [PATCH 4.14 28/62] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Date: Tue, 27 Aug 2019 09:50:33 +0200 Message-Id: <20190827072702.163588625@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190827072659.803647352@linuxfoundation.org> References: <20190827072659.803647352@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 2d7271501720038381d45fb3dcbe4831228fc8cc ] For passthrough requests, libata-scsi takes what the user passes in as gospel. This can be problematic if the user fills in the CDB incorrectly. One example of that is in request sizes. For read/write commands, the CDB contains fields describing the transfer length of the request. These should match with the SG_IO header fields, but libata-scsi currently does no validation of that. Check that the number of blocks in the CDB for passthrough requests matches what was mapped into the request. If the CDB asks for more data then the validated SG_IO header fields, error it. Reported-by: Krishna Ram Prakash R Reviewed-by: Kees Cook Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index bf5777bc04d35..eb0c4ee205258 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -1804,6 +1804,21 @@ nothing_to_do: return 1; } +static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks) +{ + struct request *rq = scmd->request; + u32 req_blocks; + + if (!blk_rq_is_passthrough(rq)) + return true; + + req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size; + if (n_blocks > req_blocks) + return false; + + return true; +} + /** * ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one * @qc: Storage for translated ATA taskfile @@ -1848,6 +1863,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc) scsi_10_lba_len(cdb, &block, &n_block); if (cdb[1] & (1 << 3)) tf_flags |= ATA_TFLAG_FUA; + if (!ata_check_nblocks(scmd, n_block)) + goto invalid_fld; break; case READ_6: case WRITE_6: @@ -1862,6 +1879,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc) */ if (!n_block) n_block = 256; + if (!ata_check_nblocks(scmd, n_block)) + goto invalid_fld; break; case READ_16: case WRITE_16: @@ -1872,6 +1891,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc) scsi_16_lba_len(cdb, &block, &n_block); if (cdb[1] & (1 << 3)) tf_flags |= ATA_TFLAG_FUA; + if (!ata_check_nblocks(scmd, n_block)) + goto invalid_fld; break; default: DPRINTK("no-byte command\n"); -- 2.20.1