libata: zpodd: Fix small read overflow in zpodd_get_mech_type() - kernel

diff options

author	Kees Cook <[email protected]>	2019-07-29 21:47:22 +0000
committer	Jens Axboe <[email protected]>	2019-07-29 22:00:14 +0000
commit	71d6c505b4d9e6f76586350450e785e3d452b346 (patch)
tree	cc33745e8a9c69bdfcf813737379f4f42bce725d /tools/perf/scripts/python/event_analyzing_sample.py
parent	ataflop: Mark expected switch fall-through (diff)
download	kernel-71d6c505b4d9e6f76586350450e785e3d452b346.tar.gz kernel-71d6c505b4d9e6f76586350450e785e3d452b346.zip

libata: zpodd: Fix small read overflow in zpodd_get_mech_type()

Jeffrin reported a KASAN issue: BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70 Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149 ... The buggy address belongs to the variable: cdb.48319+0x0/0x40 Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in eject_tray()"), this fixes a cdb[] buffer length, this time in zpodd_get_mech_type(): We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes. Reported-by: Jeffrin Jose T <[email protected]> Fixes: afe759511808c ("libata: identify and init ZPODD devices") Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/ Tested-by: Jeffrin Jose T <[email protected]> Reviewed-by: Nick Desaulniers <[email protected]> Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Jens Axboe <[email protected]>

Diffstat (limited to 'tools/perf/scripts/python/event_analyzing_sample.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: