All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Karuna Ramkumar" <rkaruna@google.com>
Cc: cassel@kernel.org, linux-ide@vger.kernel.org, dlemoal@kernel.org
Subject: Re: [PATCH] ata: libata-scsi: limit simulated SCSI command copy to response length
Date: Mon, 29 Jun 2026 18:05:13 +0000	[thread overview]
Message-ID: <20260629180513.C8DCB1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260629175024.2187500-1-rkaruna@google.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [Critical] A malicious or misconfigured ATA device can trigger an out-of-bounds heap read in ata_dev_config_cpr() and a massive global buffer overflow in ata_scsiop_inq_b9() by reporting a large nr_cpr value. The newly added defensive check in ata_scsi_rbuf_fill() executes after the overflow has already occurred.
- [Critical] ata_format_dsm_trim_descr() overflows the static ata_scsi_rbuf for devices with large sector sizes.
--

commit 8b4a8e5bfe8806f87d80466e94aa7a4684517178
Author: Karuna Ramkumar <rkaruna@google.com>

ata: libata-scsi: limit simulated SCSI command copy to response length

The function ata_scsi_rbuf_fill() is used to copy the response of
emulated SCSI commands from ata_scsi_rbuf to the SCSI command's
scatterlist.

[ ... ]

> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
> index d54ec1631e9a6..0ddec111a78c4 100644
> --- a/drivers/ata/libata-scsi.c
> +++ b/drivers/ata/libata-scsi.c
> @@ -1933,8 +1933,10 @@ static void ata_scsi_rbuf_fill(struct ata_device *dev, struct scsi_cmnd *cmd,
>  	memset(ata_scsi_rbuf, 0, ATA_SCSI_RBUF_SIZE);
>  	len = actor(dev, cmd, ata_scsi_rbuf);
>  	if (len) {
> +		if (WARN_ON(len > ATA_SCSI_RBUF_SIZE))
> +			len = ATA_SCSI_RBUF_SIZE;

[Severity: Critical]
This is a pre-existing issue, but does the overflow already occur before this
check is reached?

The actor function writes directly into the static ata_scsi_rbuf array.
For example, in ata_scsiop_inq_b9():

    for (i = 0; i < cpr_log->nr_cpr; i++, desc += 32) {
        ...
        put_unaligned_be64(cpr_log->cpr[i].num_lbas, &desc[16]);
    }

If a device reports a large nr_cpr value (up to 255), this loop could write
up to 8224 bytes into the 2048-byte ata_scsi_rbuf array during the actor()
call, before the defensive WARN_ON() check has a chance to execute.

Additionally, could ata_dev_config_cpr() perform an out-of-bounds heap read
when reading this large nr_cpr value?

    cpr_log->nr_cpr = nr_cpr;
    desc = &buf[64];
    for (i = 0; i < nr_cpr; i++, desc += 32) {
        cpr_log->cpr[i].num = desc[0];
        ...

If nr_cpr exceeds the allocated buffer space based on buf_len, this loop
appears to read past the end of the allocation.


[Severity: Critical]
This is also a pre-existing issue, but does ata_format_dsm_trim_descr()
overflow this same static buffer for devices with large sector sizes?

When a filesystem discard is issued to a device with a 4K logical sector size,
ata_scsi_write_same_xlat() calculates trmax as 512:

    size_t len = sdp->sector_size;
    ...
    const u32 trmax = len >> 3;

In ata_format_dsm_trim_descr():

    if (len > ATA_SCSI_RBUF_SIZE)
        len = ATA_SCSI_RBUF_SIZE;
    ...
    memset(buf, 0, len);
    while (i < trmax) {
        ...
        buf[i++] = __cpu_to_le64(entry);

While the memset() length is properly capped to 2048 bytes, the while loop
continues up to trmax. For a trmax of 512, this writes 512 8-byte entries
(4096 bytes) into the 2048-byte ata_scsi_rbuf array.

>  		sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
> -				    ata_scsi_rbuf, ATA_SCSI_RBUF_SIZE);
> +				    ata_scsi_rbuf, len);
>  		cmd->result = SAM_STAT_GOOD;
>  		if (scsi_bufflen(cmd) > len)
>  			scsi_set_resid(cmd, scsi_bufflen(cmd) - len);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629175024.2187500-1-rkaruna@google.com?part=1

  reply	other threads:[~2026-06-29 18:05 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 17:50 [PATCH] ata: libata-scsi: limit simulated SCSI command copy to response length Karuna Ramkumar
2026-06-29 18:05 ` sashiko-bot [this message]
2026-06-30  0:05 ` Damien Le Moal
2026-06-30  0:19   ` Karuna Ramkumar
2026-06-30  0:20     ` Damien Le Moal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629180513.C8DCB1F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=cassel@kernel.org \
    --cc=dlemoal@kernel.org \
    --cc=linux-ide@vger.kernel.org \
    --cc=rkaruna@google.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.