summaryrefslogtreecommitdiff
path: root/arch/nds32/include/asm/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorBryam Vargas <hexlabsecurity@proton.me>2026-06-22 22:23:45 -0500
committerDamien Le Moal <dlemoal@kernel.org>2026-07-03 13:44:18 +0900
commit533a0b940f901c15e5cbbd4b5d66e871c209e8ce (patch)
treeed19ca4c626d9496522c7ac3a6aac68e0fa08a31 /arch/nds32/include/asm/git@git.tavy.me:linux.git
parent462775c620197adaabc983ce847e5b9878ff4cb0 (diff)
ata: libata-core: Reject an invalid concurrent positioning ranges count
ata_dev_config_cpr() takes the number of range descriptors from buf[0] of the concurrent positioning ranges log (up to 255), which the device reports independently of the log size in the GPL directory. The count is then walked at a fixed 32-byte stride in two places with no bound: the log read here, and the INQUIRY VPD page B9h emitter, which writes one descriptor per range into the fixed 2048-byte ata_scsi_rbuf. A device reporting a count larger than its own log overflows the read buffer (up to 7704 bytes past a 512-byte slab), and a count above 62 overflows the response buffer on the emit side. Bound the count once, on probe, against both the log the device returned and the number of descriptors the VPD B9h response buffer can hold (ATA_DEV_MAX_CPR, derived from the rbuf size). Reject an out-of-range count with a warning; this keeps the emitter in bounds with no separate change there. Suggested-by: Damien Le Moal <dlemoal@kernel.org> Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") Fixes: c745dfc541e7 ("libata: fix reading concurrent positioning ranges log") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Reviewed-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Diffstat (limited to 'arch/nds32/include/asm/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions