Home Explore Help
Sign In
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

libata: have ata_scsi_rw_xlat() fail invalid passthrough requests

[ Upstream commit 2d7271501720038381d45fb3dcbe4831228fc8cc ]

For passthrough requests, libata-scsi takes what the user passes in
as gospel. This can be problematic if the user fills in the CDB
incorrectly. One example of that is in request sizes. For read/write
commands, the CDB contains fields describing the transfer length of
the request. These should match with the SG_IO header fields, but
libata-scsi currently does no validation of that.

Check that the number of blocks in the CDB for passthrough requests
matches what was mapped into the request. If the CDB asks for more
data then the validated SG_IO header fields, error it.

Reported-by: Krishna Ram Prakash R <krp@gtux.in>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jens Axboe 6 years ago
parent
e0c030221b
commit
3b84bbef51
1 changed files with 21 additions and 0 deletions
Split View Show Diff Stats
  1. 21 0
      drivers/ata/libata-scsi.c

+ 21 - 0
drivers/ata/libata-scsi.c
View File 

@@ -1803,6 +1803,21 @@ nothing_to_do:
 
 	return 1;
 
 }
 
 
+static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks)
 
+{
 
+	struct request *rq = scmd->request;
 
+	u32 req_blocks;
 
+
 
+	if (!blk_rq_is_passthrough(rq))
 
+		return true;
 
+
 
+	req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size;
 
+	if (n_blocks > req_blocks)
 
+		return false;
 
+
 
+	return true;
 
+}
 
+
 
 /**
 
  *	ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one
 
  *	@qc: Storage for translated ATA taskfile
 
@@ -1847,6 +1862,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 
 		scsi_10_lba_len(cdb, &block, &n_block);
 
 		if (cdb[1] & (1 << 3))
 
 			tf_flags |= ATA_TFLAG_FUA;
 
+		if (!ata_check_nblocks(scmd, n_block))
 
+			goto invalid_fld;
 
 		break;
 
 	case READ_6:
 
 	case WRITE_6:
 
@@ -1861,6 +1878,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 
 		 */
 
 		if (!n_block)
 
 			n_block = 256;
 
+		if (!ata_check_nblocks(scmd, n_block))
 
+			goto invalid_fld;
 
 		break;
 
 	case READ_16:
 
 	case WRITE_16:
 
@@ -1871,6 +1890,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 
 		scsi_16_lba_len(cdb, &block, &n_block);
 
 		if (cdb[1] & (1 << 3))
 
 			tf_flags |= ATA_TFLAG_FUA;
 
+		if (!ata_check_nblocks(scmd, n_block))
 
+			goto invalid_fld;
 
 		break;
 
 	default:
 
 		DPRINTK("no-byte command\n");