From: Niklas Cassel <cassel@kernel.org>
To: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Jens Axboe <axboe@kernel.dk>, Christoph Hellwig <hch@lst.de>,
Damien Le Moal <dlemoal@kernel.org>,
linux-ide@vger.kernel.org,
reveliofuzzing <reveliofuzzing@gmail.com>
Subject: Re: out-of-bounds write in the function ata_pio_sector
Date: Wed, 29 Jan 2025 10:57:26 +0100 [thread overview]
Message-ID: <Z5n7hl0JX1kqsFa4@ryzen> (raw)
In-Reply-To: <yq1wmees4lw.fsf@ca-mkp.ca.oracle.com>
Hello Martin,
On Tue, Jan 28, 2025 at 10:09:35PM -0500, Martin K. Petersen wrote:
>
> Niklas,
>
> Sorry about the delay, was out for a few days.
>
> > I was kind of expecting some upper layer, SCSI or block, to have rejected
> > an operation that is not a multiple of the sector size.
> >
> > Is that a silly assumption?
>
> Not all SCSI commands operate on logical blocks. Plus even if they do
> the actual data transfer could still be larger than one block due to PI
> or long writes.
>
> That's all a bit theoretical in the context of the archaic
> sg_scsi_ioctl() call since that only takes a single page and has little
> practical use. But in general we can't assume that everything is a
> multiple of 512 bytes.
Thank you.
I basically came to the same conclusion.
(We can't assume that everything is a multiple of 512 bytes.)
Looking at ACS-6, Table A.2 — Command codes (sorted by command code)
and looking at all commands that are of type:
PIO Data-In and PIO Data-Out.
Most commands use the COUNT field to mean a unit in either sectors or log
page count (which is also a multiple of sectors), but some commands, e.g.
TRUSTED RECEIVE 5Ch and TRUSTED SEND 5Eh, it means TRANSFER LENGTH, which
is security protocol specific.
Looking at TCG (SIIS), TRANSFER LENGTH is a multiple of sectors.
I don't know about other security protocols (if any).
It is probably quite safe to make the assumption that the COUNT field in
ACS will always be a multiple of sectors for PIO Data-In and PIO Data-Out
commands, so we probably could add a check in generic libata code
somewhere... but by adding such a check in generic libata code, for it to
be simple, it would probably need to apply to more than just PIO Data-In
and PIO Data-Out commands, and I'm not sure if we can make such an
assumption.
Thus, I'm happy with the fix:
https://lore.kernel.org/linux-ide/20250127154303.15567-2-cassel@kernel.org/
for now.
Kind regards,
Niklas
prev parent reply other threads:[~2025-01-29 9:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-02 2:17 out-of-bounds write in the function ata_pio_sector reveliofuzzing
2025-01-02 10:40 ` Niklas Cassel
2025-01-02 16:23 ` reveliofuzzing
2025-01-17 14:26 ` Niklas Cassel
2025-01-17 16:42 ` reveliofuzzing
2025-01-20 13:54 ` Niklas Cassel
2025-01-20 16:47 ` reveliofuzzing
2025-01-22 14:59 ` Niklas Cassel
2025-01-29 3:09 ` Martin K. Petersen
2025-01-29 9:57 ` Niklas Cassel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5n7hl0JX1kqsFa4@ryzen \
--to=cassel@kernel.org \
--cc=axboe@kernel.dk \
--cc=dlemoal@kernel.org \
--cc=hch@lst.de \
--cc=linux-ide@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=reveliofuzzing@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox