From: Niklas Cassel <cassel@kernel.org>
To: hexlabsecurity@proton.me
Cc: Damien Le Moal <dlemoal@kernel.org>,
linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] ata: libata-core: Reject an invalid concurrent positioning ranges count
Date: Tue, 23 Jun 2026 10:54:33 +0200 [thread overview]
Message-ID: <ajpJyZFqNIaFzXxe@ryzen> (raw)
In-Reply-To: <20260622-b4-disp-1b9ba697-v3-1-14ac65dd4413@proton.me>
On Mon, Jun 22, 2026 at 10:23:45PM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@proton.me>
>
> ata_dev_config_cpr() takes the number of range descriptors from buf[0]
> of the concurrent positioning ranges log (up to 255), which the device
> reports independently of the log size in the GPL directory. The count is
> then walked at a fixed 32-byte stride in two places with no bound: the
> log read here, and the INQUIRY VPD page B9h emitter, which writes one
> descriptor per range into the fixed 2048-byte ata_scsi_rbuf. A device
> reporting a count larger than its own log overflows the read buffer (up
> to 7704 bytes past a 512-byte slab), and a count above 62 overflows the
> response buffer on the emit side.
>
> Bound the count once, on probe, against both the log the device returned
> and the number of descriptors the VPD B9h response buffer can hold
> (ATA_DEV_MAX_CPR, derived from the rbuf size). Reject an out-of-range
> count with a warning; this keeps the emitter in bounds with no separate
> change there.
>
> Suggested-by: Damien Le Moal <dlemoal@kernel.org>
> Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
> Fixes: c745dfc541e7 ("libata: fix reading concurrent positioning ranges log")
> Cc: stable@vger.kernel.org
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
prev parent reply other threads:[~2026-06-23 8:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 3:23 [PATCH v3] ata: libata-core: Reject an invalid concurrent positioning ranges count Bryam Vargas
2026-06-23 3:23 ` Bryam Vargas via B4 Relay
2026-06-23 8:54 ` Niklas Cassel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajpJyZFqNIaFzXxe@ryzen \
--to=cassel@kernel.org \
--cc=dlemoal@kernel.org \
--cc=hexlabsecurity@proton.me \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.