Fuzzing of 5.10 stable branch reports a slab-out-of-bounds error in ata_scsi_pass_thru.
The error is fixed in 5.18 by commit ce70fd9a551af7424a7dace2a1ba05a7de8eae27. Backporting this commit would require significant changes to the code so it is bettter to use a simple fix for that particular error.
The problem is that the length of the received SCSI command is not validated if scsi_op == VARIABLE_LENGTH_CMD. It can lead to out-of-bounds reading if the user sends a request with SCSI command of length less than 32.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Signed-off-by: Artem Sadovnikov ancowi69@gmail.com Signed-off-by: Mikhail Ivanov iwanov-23@bk.ru --- drivers/ata/libata-scsi.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index dfa090ccd21c..77589e911d3d 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -4065,6 +4065,9 @@ int __ata_scsi_queuecmd(struct scsi_cmnd *scmd, struct ata_device *dev)
if (unlikely(!scmd->cmd_len)) goto bad_cdb_len; + + if (scsi_op == VARIABLE_LENGTH_CMD && scmd->cmd_len < 32) + goto bad_cdb_len;
if (dev->class == ATA_DEV_ATA || dev->class == ATA_DEV_ZAC) { if (unlikely(scmd->cmd_len > dev->cdb_len))
Hi,
Thanks for your patch.
FYI: kernel test robot notices the stable kernel rule is not satisfied.
The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opti...
Rule: The upstream commit ID must be specified with a separate line above the commit text. Subject: [PATCH 5.10/5.15] scsi: add a length check for VARIABLE_LENGTH_CMD commands Link: https://lore.kernel.org/stable/20240306135010.9250-1-mish.uxin2012%40yandex....
Please ignore this mail if the patch is not relevant for upstream.
linux-stable-mirror@lists.linaro.org
-
kernel test robot -
Mikhail Ukhin