• Jens Axboe's avatar
    libata: have ata_scsi_rw_xlat() fail invalid passthrough requests · 2d727150
    Jens Axboe authored
    For passthrough requests, libata-scsi takes what the user passes in
    as gospel. This can be problematic if the user fills in the CDB
    incorrectly. One example of that is in request sizes. For read/write
    commands, the CDB contains fields describing the transfer length of
    the request. These should match with the SG_IO header fields, but
    libata-scsi currently does no validation of that.
    
    Check that the number of blocks in the CDB for passthrough requests
    matches what was mapped into the request. If the CDB asks for more
    data then the validated SG_IO header fields, error it.
    Reported-by: default avatarKrishna Ram Prakash R <krp@gtux.in>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
    2d727150
libata-scsi.c 127 KB