From: Niklas Cassel <cassel@kernel.org>
To: reveliofuzzing <reveliofuzzing@gmail.com>
Cc: damien.lemoal@opensource.wdc.com, linux-ide@vger.kernel.org
Subject: Re: out-of-bounds write in the function ata_pio_sector
Date: Thu, 2 Jan 2025 11:40:20 +0100 [thread overview]
Message-ID: <Z3ZtFDgs61oDMMB9@ryzen> (raw)
In-Reply-To: <CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com>
Hello reveliofuzzing,
On Wed, Jan 01, 2025 at 09:17:02PM -0500, reveliofuzzing wrote:
> Hi there,
>
> We found an out-of-bounds write in the function ata_pio_sector, which can cause
> the kernel to crash. We would like to report it for your reference.
>
> ## Problem in ata_pio_sector
> ata_pio_sector uses the following code to decide which page to use for the I/O:
> page = sg_page(qc->cursg);
> offset = qc->cursg->offset + qc->cursg_ofs;
>
> /* get the current page and offset */
> page = nth_page(page, (offset >> PAGE_SHIFT));
> offset %= PAGE_SIZE;
> but we found that `offset` could be as high as 0x5000---qc->cursg_ofs==0x5000,
> qc->cursg->offset == 0x0, making `page` point to a higher-position page that
> belongs to other threads.
>
> ## Example crash
> This out-of-bound write can cause the kernel to crash at arbitrary places,
> depending on when the corrupted page is accessed by the other thread.
>
> We found this problem can happen in Linux kernel 6.1~6.12. Here is one crash in
> Linux kernel 6.1:
Thank you for reporting!
I assume that you haven't tested kernels earlier than 6.1?
(Looking at the driver, there was no major change between 6.0 and 6.1,
so this bug has probably been there for a long time.)
Could you please share your reproducer and your kernel config as well?
Kind regards,
Niklas
next prev parent reply other threads:[~2025-01-02 10:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-02 2:17 out-of-bounds write in the function ata_pio_sector reveliofuzzing
2025-01-02 10:40 ` Niklas Cassel [this message]
2025-01-02 16:23 ` reveliofuzzing
2025-01-17 14:26 ` Niklas Cassel
2025-01-17 16:42 ` reveliofuzzing
2025-01-20 13:54 ` Niklas Cassel
2025-01-20 16:47 ` reveliofuzzing
2025-01-22 14:59 ` Niklas Cassel
2025-01-29 3:09 ` Martin K. Petersen
2025-01-29 9:57 ` Niklas Cassel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z3ZtFDgs61oDMMB9@ryzen \
--to=cassel@kernel.org \
--cc=damien.lemoal@opensource.wdc.com \
--cc=linux-ide@vger.kernel.org \
--cc=reveliofuzzing@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox