Re: [PATCH v3] ata: libata-core: Reject an invalid concurrent positioning ranges count

Next message: Bryan O'Donoghue: "Re: [PATCH v3] media: as102: drop device reference on probe failure"
Previous message: Joseph Qi: "Re: [PATCH v4 1/2] ocfs2: validate inline xattrs during inode block validation"
In reply to: Bryam Vargas via B4 Relay: "[PATCH v3] ata: libata-core: Reject an invalid concurrent positioning ranges count"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Niklas Cassel

Date: Tue Jun 23 2026 - 04:59:59 EST

On Mon, Jun 22, 2026 at 10:23:45PM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
>
> ata_dev_config_cpr() takes the number of range descriptors from buf[0]
> of the concurrent positioning ranges log (up to 255), which the device
> reports independently of the log size in the GPL directory. The count is
> then walked at a fixed 32-byte stride in two places with no bound: the
> log read here, and the INQUIRY VPD page B9h emitter, which writes one
> descriptor per range into the fixed 2048-byte ata_scsi_rbuf. A device
> reporting a count larger than its own log overflows the read buffer (up
> to 7704 bytes past a 512-byte slab), and a count above 62 overflows the
> response buffer on the emit side.
>
> Bound the count once, on probe, against both the log the device returned
> and the number of descriptors the VPD B9h response buffer can hold
> (ATA_DEV_MAX_CPR, derived from the rbuf size). Reject an out-of-range
> count with a warning; this keeps the emitter in bounds with no separate
> change there.
>
> Suggested-by: Damien Le Moal <dlemoal@xxxxxxxxxx>
> Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
> Fixes: c745dfc541e7 ("libata: fix reading concurrent positioning ranges log")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>

Reviewed-by: Niklas Cassel <cassel@xxxxxxxxxx>