Received: by 2002:a17:90a:88:0:0:0:0 with SMTP id a8csp55390pja; Fri, 22 Nov 2019 03:23:00 -0800 (PST) X-Google-Smtp-Source: APXvYqwHacOpRAly6ZxQYWD5VM28eFtY91sjHRa78hGQdNj6+iffbVJaJSaiubHzEhC5OqhZGrFj X-Received: by 2002:a17:906:160a:: with SMTP id m10mr1109567ejd.46.1574421780129; Fri, 22 Nov 2019 03:23:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574421780; cv=none; d=google.com; s=arc-20160816; b=QrK2kbYb0K7iwqNq7jUezkMurgWyFhcG+oN1MoMElvTc2ovoAP5goNlJlgfniYtJsO rmoTcDioLDOI9MCrHgrpslWCUIV/0NGN5Z75HnSDYe8mo1gK3Sd+A9afqeaDzn9hYePY JjEBZmszb7AOKF0aWMFd5H6hALtJWE9E1bTH8gP5Q5OeG42FI7F5jatoo2ROY5WPLwd/ VpsweZelmIIZY88s8BRT5pkc3XywN8pf/4XqD+mNgcyVFdN3olygNBfX6ayAQhRfxckG IKTpyeaF8XtMAfr2sgOAIhIQ+B3kqegw0cAQRmYJ6jlUbBoR/Djm8GsxgQgWPNjH/170 4F3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lDsEz9/Ek1jT2BUORb3NWNJNTSn2BYfznzrozngfxzo=; b=l6M5sSyPHC1HVnETW9R6rbUWZE58mgelIqBmFo8tpnOyc5AfF0+RVfxCRp5uaxcGOT 34FP9ASaGHMOWnglKqk1uWDDawyJ4YPJa704PZzG67YFudEQ0QrmUhlqGZ8+eIWi05US 0/Xj2clyv50SdSjCAe6Ie0KD2m6q20CDYJswihBQDCZY4Zu2OEZBhAofkQtUbkiHNcE4 NKHXc21w7oPEbZOi9lO45vH5IjrxiLOZ3iXf2Ss/acbP6Ulh8Xhjm5Mr33/DK0lYlfdU rokUfIkJDtw6sQnBCTLw9liGmzQLeR//bv6quo01QxKRbctAPzKH3pd0H3v0dgSAm6YF 1PGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vAAdsfSt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e4si4255576edy.83.2019.11.22.03.22.36; Fri, 22 Nov 2019 03:23:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vAAdsfSt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727785AbfKVLUJ (ORCPT + 99 others); Fri, 22 Nov 2019 06:20:09 -0500 Received: from mail.kernel.org ([198.145.29.99]:53004 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728746AbfKVKqF (ORCPT ); Fri, 22 Nov 2019 05:46:05 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 11AC820656; Fri, 22 Nov 2019 10:46:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574419564; bh=T8Fo9Pn98qtvxKBkA+60vnG5I9y3wq+vC9UpR37GxZY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vAAdsfStXRMhCN4ajzfDnOsR72X1FHQrE7/cRiYEAoJ1gmeoqx8dycws8e6xZo9PP tjHkbk0FU6Y12sJIRc3J1zQ28MlE9H4qOHiY4d5YdES5GCxAiVVgE8M/pYt+Vz8aBY m3kev7lT/kq7jXU+/r/bIQzpBkDjMe/wf6iWmKjA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Krishna Ram Prakash R , Kees Cook , Jens Axboe Subject: [PATCH 4.9 154/222] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Date: Fri, 22 Nov 2019 11:28:14 +0100 Message-Id: <20191122100913.838547114@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191122100830.874290814@linuxfoundation.org> References: <20191122100830.874290814@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jens Axboe commit 2d7271501720038381d45fb3dcbe4831228fc8cc upstream. For passthrough requests, libata-scsi takes what the user passes in as gospel. This can be problematic if the user fills in the CDB incorrectly. One example of that is in request sizes. For read/write commands, the CDB contains fields describing the transfer length of the request. These should match with the SG_IO header fields, but libata-scsi currently does no validation of that. Check that the number of blocks in the CDB for passthrough requests matches what was mapped into the request. If the CDB asks for more data then the validated SG_IO header fields, error it. Reported-by: Krishna Ram Prakash R Reviewed-by: Kees Cook Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -1734,6 +1734,21 @@ nothing_to_do: return 1; } +static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks) +{ + struct request *rq = scmd->request; + u32 req_blocks; + + if (!blk_rq_is_passthrough(rq)) + return true; + + req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size; + if (n_blocks > req_blocks) + return false; + + return true; +} + /** * ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one * @qc: Storage for translated ATA taskfile @@ -1776,6 +1791,8 @@ static unsigned int ata_scsi_rw_xlat(str scsi_10_lba_len(cdb, &block, &n_block); if (cdb[1] & (1 << 3)) tf_flags |= ATA_TFLAG_FUA; + if (!ata_check_nblocks(scmd, n_block)) + goto invalid_fld; break; case READ_6: case WRITE_6: @@ -1790,6 +1807,8 @@ static unsigned int ata_scsi_rw_xlat(str */ if (!n_block) n_block = 256; + if (!ata_check_nblocks(scmd, n_block)) + goto invalid_fld; break; case READ_16: case WRITE_16: @@ -1800,6 +1819,8 @@ static unsigned int ata_scsi_rw_xlat(str scsi_16_lba_len(cdb, &block, &n_block); if (cdb[1] & (1 << 3)) tf_flags |= ATA_TFLAG_FUA; + if (!ata_check_nblocks(scmd, n_block)) + goto invalid_fld; break; default: DPRINTK("no-byte command\n");