qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Centos-kernel-stream-9/drivers/ata
History
Augusto Caringi 55ceae434c Merge: CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the allocated buffer 
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6471

JIRA: https://issues.redhat.com/browse/RHEL-81457
CVE: CVE-2025-21738

```
commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2
Author: Niklas Cassel <cassel@kernel.org>
Date:   Mon Jan 27 16:43:04 2025 +0100

    ata: libata-sff: Ensure that we cannot write outside the allocated buffer

    reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len
    set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to
    ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to
    write outside the allocated buffer, overwriting random memory.

    While a ATA device is supposed to abort a ATA_NOP command, there does seem
    to be a bug either in libata-sff or QEMU, where either this status is not
    set, or the status is cleared before read by ata_sff_hsm_move().
    Anyway, that is most likely a separate bug.

    Looking at __atapi_pio_bytes(), it already has a safety check to ensure
    that __atapi_pio_bytes() cannot write outside the allocated buffer.

    Add a similar check to ata_pio_sector(), such that also ata_pio_sector()
    cannot write outside the allocated buffer.

    Cc: stable@vger.kernel.org
    Reported-by: reveliofuzzing <reveliofuzzing@gmail.com>
    Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/
    Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org
    Signed-off-by: Niklas Cassel <cassel@kernel.org>```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

---

<small>Created 2025-02-27 22:17 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small>

Approved-by: Tomas Henzl <thenzl@redhat.com>
Approved-by: Chris Leech <cleech@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Augusto Caringi <acaringi@redhat.com>
 		2025-04-24 12:23:22 -03:00
..
Kconfig ata: ahci: Drop low power policy board type 2024-07-08 15:39:24 -04:00
Makefile ata: remove palmld pata driver 2023-04-24 12:16:18 +02:00
acard-ahci.c ata: libata: simplify qc_fill_rtf port operation interface 2023-04-24 12:16:16 +02:00
ahci.c ata: ahci: Clean up sysfs file on error 2024-09-16 15:20:55 +02:00
ahci.h block: simplify tag allocation policy selection 2025-03-14 16:48:39 +08:00
ahci_brcm.c ata: ahci_brcm: Fix compilation warning 2023-04-24 12:16:11 +02:00
ahci_ceva.c ata: Drop commas after OF match table sentinels 2022-04-09 22:28:57 +02:00
ahci_da850.c ata: libahci_platform: Convert to using devm bulk clocks API 2023-04-24 12:16:08 +02:00
ahci_dm816.c ata: libahci_platform: Convert to using devm bulk clocks API 2023-04-24 12:16:08 +02:00
ahci_imx.c thermal/core: Use the thermal zone 'devdata' accessor in remaining drivers 2024-03-27 11:39:36 -04:00
ahci_mtk.c ata: Use of_property_present() for testing DT property presence 2024-07-08 15:39:14 -04:00
ahci_mvebu.c Revert "ata: ahci: mvebu: Make SATA PHY optional for Armada 3720" 2022-04-09 22:28:57 +02:00
ahci_octeon.c ata: octeon: Drop empty platform remove function 2023-04-24 12:16:15 +02:00
ahci_platform.c ata: ahci_platform: Make code agnostic to OF/ACPI 2023-11-11 18:42:38 +01:00
ahci_qoriq.c ata: fix debounce timings type 2023-11-11 19:57:19 +01:00
ahci_seattle.c
ahci_st.c ata: ahci_st: Fix compilation warning 2023-04-24 12:16:11 +02:00
ahci_sunxi.c ata: Drop commas after OF match table sentinels 2022-04-09 22:28:57 +02:00
ahci_tegra.c
ahci_xgene.c ata: xgene: Use of_device_get_match_data() 2024-07-08 15:39:21 -04:00
ata_generic.c
ata_piix.c
libahci.c ahci: print the number of implemented ports 2024-07-08 15:39:26 -04:00
libahci_platform.c ata: Use of_property_present() for testing DT property presence 2024-07-08 15:39:14 -04:00
libata-acpi.c ata: make use of ata_port_is_frozen() helper 2023-04-24 12:16:12 +02:00
libata-core.c ata: libata: Move sector_buf from struct ata_port to struct ata_device 2024-10-26 16:39:48 +02:00
libata-eh.c ata: libata: avoid superfluous disk spin down + spin up during hibernation 2024-10-26 16:39:49 +02:00
libata-pata-timings.c
libata-pmp.c ata: libata: Move sector_buf from struct ata_port to struct ata_device 2024-10-26 16:39:48 +02:00
libata-sata.c ata: libata: Move sector_buf from struct ata_port to struct ata_device 2024-10-26 16:39:48 +02:00
libata-scsi.c ata: libata-scsi: Fix ata_msense_control() CDL page reporting 2024-10-26 16:39:49 +02:00
libata-sff.c ata: libata-sff: Ensure that we cannot write outside the allocated buffer 2025-02-27 22:17:11 +00:00
libata-trace.c ata: scsi: rename flag ATA_QCFLAG_FAILED to ATA_QCFLAG_EH 2023-04-24 12:16:16 +02:00
libata-transport.c ata: libata: Fix W=1 compilation warning 2024-10-26 16:39:49 +02:00
libata-transport.h
libata-zpodd.c ata: libata: Move sector_buf from struct ata_port to struct ata_device 2024-10-26 16:39:48 +02:00
libata.h ata: libata: Rename ata_eh_read_sense_success_ncq_log() 2024-10-26 16:39:48 +02:00
pata_acpi.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_ali.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_amd.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_arasan_cf.c
pata_artop.c
pata_atiixp.c
pata_atp867x.c
pata_buddha.c
pata_cmd64x.c
pata_cmd640.c
pata_cs5520.c ata: pata_cs5520: Remove unnecessary call to pci_enable_device_io() 2024-08-15 15:31:13 -06:00
pata_cs5530.c
pata_cs5535.c ata: pata_cs5535: Fix W=1 warnings 2023-04-07 18:54:22 +02:00
pata_cs5536.c
pata_cypress.c
pata_efar.c
pata_ep93xx.c ata: libata: Remove ata_noop_qc_prep() 2024-10-25 17:31:06 +02:00
pata_falcon.c
pata_ftide010.c ata: pata_ftide010: Remove build dependency on OF 2023-04-24 12:16:12 +02:00
pata_gayle.c
pata_hpt3x2n.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_hpt3x3.c
pata_hpt37x.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_hpt366.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_icside.c ata: libata: Remove ata_noop_qc_prep() 2024-10-25 17:31:06 +02:00
pata_imx.c
pata_isapnp.c
pata_it821x.c
pata_it8213.c
pata_ixp4xx_cf.c pata: ixp4xx: Add explicit include for of.h 2024-05-09 11:25:38 -04:00
pata_jmicron.c
pata_legacy.c ata: pata_legacy: fix pdc20230_set_piomode() 2023-04-24 12:16:13 +02:00
pata_macio.c block: simplify tag allocation policy selection 2025-03-14 16:48:39 +08:00
pata_marvell.c ata: pata_marvell: Check the 'bmdma_addr' beforing reading 2023-04-07 18:54:20 +02:00
pata_mpc52xx.c ata: libata: Remove ata_noop_qc_prep() 2024-10-25 17:31:06 +02:00
pata_mpiix.c
pata_netcell.c
pata_ninja32.c
pata_ns87410.c
pata_ns87415.c ata: add/use ata_taskfile::{error|status} fields 2022-04-09 22:09:39 +02:00
pata_octeon_cf.c ata: libata: Remove ata_noop_qc_prep() 2024-10-25 17:31:06 +02:00
pata_of_platform.c ata: Drop commas after OF match table sentinels 2022-04-09 22:28:57 +02:00
pata_oldpiix.c
pata_opti.c
pata_optidma.c
pata_pcmcia.c
pata_pdc202xx_old.c
pata_pdc2027x.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_piccolo.c
pata_platform.c
pata_pxa.c ata: pata_pxa: Use platform_get_irq() to get the interrupt 2022-04-09 22:28:57 +02:00
pata_radisys.c
pata_rb532_cf.c
pata_rdc.c
pata_rz1000.c
pata_sc1200.c
pata_sch.c
pata_serverworks.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_sil680.c ata: pata_sil680: fix result type of sil680_sel{dev|reg}() 2023-04-07 18:54:20 +02:00
pata_sis.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pata_sl82c105.c
pata_triflex.c
pata_via.c ata: make transfer mode masks *unsigned int* 2023-04-07 18:54:21 +02:00
pdc_adma.c
sata_dwc_460ex.c ata: Use of_property_present() for testing DT property presence 2024-07-08 15:39:14 -04:00
sata_fsl.c ata: libata: simplify qc_fill_rtf port operation interface 2023-04-24 12:16:16 +02:00
sata_gemini.c ata: sata_gemini: Remove dependency on OF for compile tests 2023-04-24 12:16:12 +02:00
sata_gemini.h
sata_highbank.c ata: fix debounce timings type 2023-11-11 19:57:19 +01:00
sata_inic162x.c ata: fix debounce timings type 2023-11-11 19:57:19 +01:00
sata_mv.c block: simplify tag allocation policy selection 2025-03-14 16:48:39 +08:00
sata_nv.c block: simplify tag allocation policy selection 2025-03-14 16:48:39 +08:00
sata_promise.c ata: scsi: rename flag ATA_QCFLAG_FAILED to ATA_QCFLAG_EH 2023-04-24 12:16:16 +02:00
sata_promise.h
sata_qstor.c
sata_rcar.c ata: sata_rcar: Fix compilation warning 2023-04-24 12:16:11 +02:00
sata_sil.c
sata_sil24.c block: simplify tag allocation policy selection 2025-03-14 16:48:39 +08:00
sata_sis.c
sata_svw.c ata: Use of_property_read_reg() to parse "reg" 2023-11-11 18:40:59 +01:00
sata_sx4.c ata: scsi: rename flag ATA_QCFLAG_FAILED to ATA_QCFLAG_EH 2023-04-24 12:16:16 +02:00
sata_uli.c
sata_via.c
sata_vsc.c ata: add/use ata_taskfile::{error|status} fields 2022-04-09 22:09:39 +02:00
sis.h