hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16d6b2527f
sst-linux/drivers/ata
History
Niklas Cassel a8f8cf8705 ata: libata-sff: Ensure that we cannot write outside the allocated buffer 
commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 upstream.

reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len
set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to
ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to
write outside the allocated buffer, overwriting random memory.

While a ATA device is supposed to abort a ATA_NOP command, there does seem
to be a bug either in libata-sff or QEMU, where either this status is not
set, or the status is cleared before read by ata_sff_hsm_move().
Anyway, that is most likely a separate bug.

Looking at __atapi_pio_bytes(), it already has a safety check to ensure
that __atapi_pio_bytes() cannot write outside the allocated buffer.

Add a similar check to ata_pio_sector(), such that also ata_pio_sector()
cannot write outside the allocated buffer.

Cc: stable@vger.kernel.org
Reported-by: reveliofuzzing <reveliofuzzing@gmail.com>
Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/
Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-02-21 13:49:49 +01:00
..
acard-ahci.c
ahci_brcm.c
ahci_ceva.c ata: ahci_ceva: fix error handling for Xilinx GT PHY support 2024-03-01 13:26:36 +01:00
ahci_da850.c
ahci_dm816.c
ahci_dwc.c
ahci_imx.c
ahci_mtk.c
ahci_mvebu.c
ahci_octeon.c
ahci_platform.c
ahci_qoriq.c
ahci_seattle.c
ahci_st.c
ahci_sunxi.c
ahci_tegra.c
ahci_xgene.c
ahci.c ata: ahci: Clean up sysfs file on error 2024-07-05 09:31:59 +02:00
ahci.h ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers 2024-03-01 13:26:26 +01:00
ata_generic.c
ata_piix.c
Kconfig
libahci_platform.c
libahci.c ata: libahci: clear pending interrupt status 2023-09-23 11:11:12 +02:00
libata-acpi.c
libata-core.c ata: libata: Fix memory leak for error path in ata_host_alloc() 2024-09-12 11:10:16 +02:00
libata-eh.c ata: libata: avoid superfluous disk spin down + spin up during hibernation 2024-10-17 15:22:26 +02:00
libata-pata-timings.c
libata-pmp.c
libata-sata.c ata: libata: disallow dev-initiated LPM transitions to unsupported states 2023-09-23 11:11:12 +02:00
libata-scsi.c Revert "ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error" 2024-08-19 06:00:07 +02:00
libata-sff.c ata: libata-sff: Ensure that we cannot write outside the allocated buffer 2025-02-21 13:49:49 +01:00
libata-trace.c
libata-transport.c ata: libata-core: Do not register PM operations for SAS ports 2023-10-06 14:57:05 +02:00
libata-transport.h
libata-zpodd.c
libata.h ata: libata-scsi: Disable scsi device manage_system_start_stop 2023-10-19 23:08:50 +02:00
Makefile
pata_acpi.c
pata_ali.c
pata_amd.c
pata_arasan_cf.c ata: pata_arasan_cf: Use dev_err_probe() instead dev_err() in data_xfer() 2023-09-13 09:42:23 +02:00
pata_artop.c
pata_atiixp.c
pata_atp867x.c
pata_bk3710.c
pata_buddha.c
pata_cmd64x.c
pata_cmd640.c
pata_cs5520.c
pata_cs5530.c
pata_cs5535.c
pata_cs5536.c
pata_cypress.c
pata_efar.c
pata_ep93xx.c
pata_falcon.c ata: pata_falcon: fix IO base selection for Q40 2023-09-19 12:28:05 +02:00
pata_ftide010.c ata: pata_ftide010: Add missing MODULE_DESCRIPTION 2023-09-19 12:28:05 +02:00
pata_gayle.c
pata_hpt3x2n.c
pata_hpt3x3.c
pata_hpt37x.c
pata_hpt366.c
pata_icside.c
pata_imx.c
pata_isapnp.c ata: pata_isapnp: Add missing error check for devm_ioport_map() 2023-12-03 07:32:07 +01:00
pata_it821x.c
pata_it8213.c
pata_ixp4xx_cf.c
pata_jmicron.c
pata_legacy.c ata: pata_legacy: make legacy_exit() work again 2024-06-16 13:41:33 +02:00
pata_macio.c ata: pata_macio: Use WARN instead of BUG 2024-09-12 11:10:25 +02:00
pata_marvell.c
pata_mpc52xx.c
pata_mpiix.c
pata_netcell.c
pata_ninja32.c
pata_ns87410.c
pata_ns87415.c ata: pata_ns87415: mark ns87560_tf_read static 2023-08-03 10:24:07 +02:00
pata_octeon_cf.c
pata_of_platform.c
pata_oldpiix.c
pata_opti.c
pata_optidma.c
pata_palmld.c
pata_pcmcia.c
pata_pdc202xx_old.c
pata_pdc2027x.c
pata_piccolo.c
pata_platform.c
pata_pxa.c
pata_radisys.c
pata_rb532_cf.c
pata_rdc.c
pata_rz1000.c
pata_samsung_cf.c
pata_sc1200.c
pata_sch.c
pata_serverworks.c ata: pata_serverworks: Do not use the term blacklist 2024-10-17 15:21:43 +02:00
pata_sil680.c
pata_sis.c
pata_sl82c105.c
pata_triflex.c
pata_via.c
pdc_adma.c
sata_dwc_460ex.c
sata_fsl.c
sata_gemini.c ata: sata_gemini: Check clk_enable() result 2024-05-17 11:56:05 +02:00
sata_gemini.h
sata_highbank.c ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() 2024-12-19 18:08:48 +01:00
sata_inic162x.c
sata_mv.c ata: sata_mv: Fix PCI device ID table declaration compilation warning 2024-04-10 16:28:31 +02:00
sata_nv.c
sata_promise.c
sata_promise.h
sata_qstor.c
sata_rcar.c
sata_sil24.c
sata_sil.c ata: sata_sil: Rename sil_blacklist to sil_quirks 2024-10-17 15:21:43 +02:00
sata_sis.c
sata_svw.c
sata_sx4.c ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit 2024-04-10 16:28:31 +02:00
sata_uli.c
sata_via.c
sata_vsc.c
sis.h