| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 29 May 2018 12:13:24 +0300 |
| Subject: libata: zpodd: small read overflow in eject_tray() |
| |
| commit 18c9a99bce2a57dfd7e881658703b5d7469cc7b9 upstream. |
| |
| We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be |
| ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes. |
| |
| Fixes: 213342053db5 ("libata: handle power transition of ODD") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Tejun Heo <tj@kernel.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/ata/libata-zpodd.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/ata/libata-zpodd.c |
| +++ b/drivers/ata/libata-zpodd.c |
| @@ -34,7 +34,7 @@ struct zpodd { |
| static int eject_tray(struct ata_device *dev) |
| { |
| struct ata_taskfile tf; |
| - static const char cdb[] = { GPCMD_START_STOP_UNIT, |
| + static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT, |
| 0, 0, 0, |
| 0x02, /* LoEj */ |
| 0, 0, 0, 0, 0, 0, 0, |