| From 984f1733fcee3fbc78d47e26c5096921c5d9946a Mon Sep 17 00:00:00 2001 |
| From: Alan Stern <stern@rowland.harvard.edu> |
| Date: Fri, 6 Sep 2013 11:49:51 -0400 |
| Subject: SCSI: sd: Fix potential out-of-bounds access |
| |
| From: Alan Stern <stern@rowland.harvard.edu> |
| |
| commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream. |
| |
| This patch fixes an out-of-bounds error in sd_read_cache_type(), found |
| by Google's AddressSanitizer tool. When the loop ends, we know that |
| "offset" lies beyond the end of the data in the buffer, so no Caching |
| mode page was found. In theory it may be present, but the buffer size |
| is limited to 512 bytes. |
| |
| Signed-off-by: Alan Stern <stern@rowland.harvard.edu> |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: James Bottomley <JBottomley@Parallels.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/scsi/sd.c | 11 +++-------- |
| 1 file changed, 3 insertions(+), 8 deletions(-) |
| |
| --- a/drivers/scsi/sd.c |
| +++ b/drivers/scsi/sd.c |
| @@ -2409,14 +2409,9 @@ sd_read_cache_type(struct scsi_disk *sdk |
| } |
| } |
| |
| - if (modepage == 0x3F) { |
| - sd_printk(KERN_ERR, sdkp, "No Caching mode page " |
| - "present\n"); |
| - goto defaults; |
| - } else if ((buffer[offset] & 0x3f) != modepage) { |
| - sd_printk(KERN_ERR, sdkp, "Got wrong page\n"); |
| - goto defaults; |
| - } |
| + sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n"); |
| + goto defaults; |
| + |
| Page_found: |
| if (modepage == 8) { |
| sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0); |