From: Niklas Cassel <cassel@kernel.org>
To: reveliofuzzing <reveliofuzzing@gmail.com>
Cc: damien.lemoal@opensource.wdc.com, linux-ide@vger.kernel.org
Subject: Re: out-of-bounds write in the function ata_pio_sector
Date: Thu, 2 Jan 2025 11:40:20 +0100 [thread overview]
Message-ID: <Z3ZtFDgs61oDMMB9@ryzen> (raw)
In-Reply-To: <CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com>
Hello reveliofuzzing,
On Wed, Jan 01, 2025 at 09:17:02PM -0500, reveliofuzzing wrote:
> Hi there,
>
> We found an out-of-bounds write in the function ata_pio_sector, which can cause
> the kernel to crash. We would like to report it for your reference.
>
> ## Problem in ata_pio_sector
> ata_pio_sector uses the following code to decide which page to use for the I/O:
> page = sg_page(qc->cursg);
> offset = qc->cursg->offset + qc->cursg_ofs;
>
> /* get the current page and offset */
> page = nth_page(page, (offset >> PAGE_SHIFT));
> offset %= PAGE_SIZE;
> but we found that `offset` could be as high as 0x5000---qc->cursg_ofs==0x5000,
> qc->cursg->offset == 0x0, making `page` point to a higher-position page that
> belongs to other threads.
>
> ## Example crash
> This out-of-bound write can cause the kernel to crash at arbitrary places,
> depending on when the corrupted page is accessed by the other thread.
>
> We found this problem can happen in Linux kernel 6.1~6.12. Here is one crash in
> Linux kernel 6.1:
Thank you for reporting!
I assume that you haven't tested kernels earlier than 6.1?
(Looking at the driver, there was no major change between 6.0 and 6.1,
so this bug has probably been there for a long time.)
Could you please share your reproducer and your kernel config as well?
Kind regards,
Niklas
next prev parent reply other threads:[~2025-01-02 10:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-02 2:17 out-of-bounds write in the function ata_pio_sector reveliofuzzing
2025-01-02 10:40 ` Niklas Cassel [this message]
2025-01-02 16:23 ` reveliofuzzing
2025-01-17 14:26 ` Niklas Cassel
2025-01-17 16:42 ` reveliofuzzing
2025-01-20 13:54 ` Niklas Cassel
2025-01-20 16:47 ` reveliofuzzing
2025-01-22 14:59 ` Niklas Cassel
2025-01-29 3:09 ` Martin K. Petersen
2025-01-29 9:57 ` Niklas Cassel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z3ZtFDgs61oDMMB9@ryzen \
--to=cassel@kernel.org \
--cc=damien.lemoal@opensource.wdc.com \
--cc=linux-ide@vger.kernel.org \
--cc=reveliofuzzing@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.