diff options
| author | Bryam Vargas <hexlabsecurity@proton.me> | 2026-06-22 22:23:45 -0500 |
|---|---|---|
| committer | Damien Le Moal <dlemoal@kernel.org> | 2026-07-03 13:44:18 +0900 |
| commit | 533a0b940f901c15e5cbbd4b5d66e871c209e8ce (patch) | |
| tree | ed19ca4c626d9496522c7ac3a6aac68e0fa08a31 /arch/nds32/include/asm/git@git.tavy.me:linux.git | |
| parent | 462775c620197adaabc983ce847e5b9878ff4cb0 (diff) | |
ata: libata-core: Reject an invalid concurrent positioning ranges count
ata_dev_config_cpr() takes the number of range descriptors from buf[0]
of the concurrent positioning ranges log (up to 255), which the device
reports independently of the log size in the GPL directory. The count is
then walked at a fixed 32-byte stride in two places with no bound: the
log read here, and the INQUIRY VPD page B9h emitter, which writes one
descriptor per range into the fixed 2048-byte ata_scsi_rbuf. A device
reporting a count larger than its own log overflows the read buffer (up
to 7704 bytes past a 512-byte slab), and a count above 62 overflows the
response buffer on the emit side.
Bound the count once, on probe, against both the log the device returned
and the number of descriptors the VPD B9h response buffer can hold
(ATA_DEV_MAX_CPR, derived from the rbuf size). Reject an out-of-range
count with a warning; this keeps the emitter in bounds with no separate
change there.
Suggested-by: Damien Le Moal <dlemoal@kernel.org>
Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
Fixes: c745dfc541e7 ("libata: fix reading concurrent positioning ranges log")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Diffstat (limited to 'arch/nds32/include/asm/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
