| From 59a5e266c3f5c1567508888dd61a45b86daed0fa Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 19 Jul 2017 13:06:41 +0300 |
| Subject: libata: array underflow in ata_find_dev() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream. |
| |
| My static checker complains that "devno" can be negative, meaning that |
| we read before the start of the loop. I've looked at the code, and I |
| think the warning is right. This come from /proc so it's root only or |
| it would be quite a quite a serious bug. The call tree looks like this: |
| |
| proc_scsi_write() <- gets id and channel from simple_strtoul() |
| -> scsi_add_single_device() <- calls shost->transportt->user_scan() |
| -> ata_scsi_user_scan() |
| -> ata_find_dev() |
| |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Tejun Heo <tj@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/ata/libata-scsi.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/ata/libata-scsi.c |
| +++ b/drivers/ata/libata-scsi.c |
| @@ -2832,10 +2832,12 @@ static unsigned int atapi_xlat(struct at |
| static struct ata_device *ata_find_dev(struct ata_port *ap, int devno) |
| { |
| if (!sata_pmp_attached(ap)) { |
| - if (likely(devno < ata_link_max_devices(&ap->link))) |
| + if (likely(devno >= 0 && |
| + devno < ata_link_max_devices(&ap->link))) |
| return &ap->link.device[devno]; |
| } else { |
| - if (likely(devno < ap->nr_pmp_links)) |
| + if (likely(devno >= 0 && |
| + devno < ap->nr_pmp_links)) |
| return &ap->pmp_link[devno].device[0]; |
| } |
| |