libata: zpodd: small read overflow in eject_tray()

Message ID	20180529091320.axeryttqycdexzm5@kili.mountain
State	Not Applicable
Delegated to:	David Miller
Headers	show Return-Path: <linux-ide-owner@vger.kernel.org> Date: Tue, 29 May 2018 12:13:24 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Tejun Heo <tj@kernel.org>, Aaron Lu <aaron.lu@intel.com> Cc: linux-ide@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] libata: zpodd: small read overflow in eject_tray() Message-ID: <20180529091320.axeryttqycdexzm5@kili.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-ide-owner@vger.kernel.org Precedence: bulk
Series	libata: zpodd: small read overflow in eject_tray() \| expand libata: zpodd: small read overflow in eject_tray()

Message ID

20180529091320.axeryttqycdexzm5@kili.mountain

State

Not Applicable

Delegated to:

David Miller

Headers

Date: Tue, 29 May 2018 12:13:24 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Tejun Heo <tj@kernel.org>, Aaron Lu <aaron.lu@intel.com>
Cc: linux-ide@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] libata: zpodd: small read overflow in eject_tray()
Message-ID: <20180529091320.axeryttqycdexzm5@kili.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-ide-owner@vger.kernel.org
Precedence: bulk

Series

libata: zpodd: small read overflow in eject_tray() | expand

Commit Message

Dan Carpenter May 29, 2018, 9:13 a.m. UTC

We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Fixes: 213342053db5 ("libata: handle power transition of ODD")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Tejun Heo May 29, 2018, 1:50 p.m. UTC | #1

On Tue, May 29, 2018 at 12:13:24PM +0300, Dan Carpenter wrote:
> We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
> 
> Fixes: 213342053db5 ("libata: handle power transition of ODD")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied to libata/for-4.17-fixes w/ stable cc'd.

Thanks.

Aaron Lu May 30, 2018, 6:20 a.m. UTC | #2

On Tue, May 29, 2018 at 12:13:24PM +0300, Dan Carpenter wrote:
> We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Thanks for the fix!

> 
> Fixes: 213342053db5 ("libata: handle power transition of ODD")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
> index de4ddd0e8550..b3ed8f9953a8 100644
> --- a/drivers/ata/libata-zpodd.c
> +++ b/drivers/ata/libata-zpodd.c
> @@ -35,7 +35,7 @@ struct zpodd {
>  static int eject_tray(struct ata_device *dev)
>  {
>  	struct ata_taskfile tf;
> -	static const char cdb[] = {  GPCMD_START_STOP_UNIT,
> +	static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_START_STOP_UNIT,
>  		0, 0, 0,
>  		0x02,     /* LoEj */
>  		0, 0, 0, 0, 0, 0, 0,
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
index de4ddd0e8550..b3ed8f9953a8 100644
--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -35,7 +35,7 @@  struct zpodd {
 static int eject_tray(struct ata_device *dev)
 {
 	struct ata_taskfile tf;
-	static const char cdb[] = {  GPCMD_START_STOP_UNIT,
+	static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_START_STOP_UNIT,
 		0, 0, 0,
 		0x02,     /* LoEj */
 		0, 0, 0, 0, 0, 0, 0,

libata: zpodd: small read overflow in eject_tray()

Commit Message

Comments

Patch