summaryrefslogtreecommitdiffstats
path: root/drivers/block/loop.c
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2019-07-29 14:47:22 -0700
committerJens Axboe <axboe@kernel.dk>2019-07-29 16:00:14 -0600
commit71d6c505b4d9e6f76586350450e785e3d452b346 (patch)
treecc33745e8a9c69bdfcf813737379f4f42bce725d /drivers/block/loop.c
parent7be21763f703d0f7e878283ec31e52b225097449 (diff)
downloadlinux-71d6c505b4d9e6f76586350450e785e3d452b346.tar.bz2
libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
Jeffrin reported a KASAN issue: BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70 Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149 ... The buggy address belongs to the variable: cdb.48319+0x0/0x40 Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in eject_tray()"), this fixes a cdb[] buffer length, this time in zpodd_get_mech_type(): We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes. Reported-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in> Fixes: afe759511808c ("libata: identify and init ZPODD devices") Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/ Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'drivers/block/loop.c')
0 files changed, 0 insertions, 0 deletions