[PATCH OLK-6.6] scsi: sd: Fix off-by-one error in sd_read_block_characteristics() - Kernel

30 Oct 2024

From: Martin Wilck mwilck@suse.com
stable inclusion
from stable-v6.6.54
commit 568c7c4c77eee6df7677bb861b7cee7398a3255d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPK3
CVE: CVE-2024-47682
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
-------------------------------
commit f81eaf08385ddd474a2f41595a7757502870c0eb upstream.
Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for
example), sd_read_block_characteristics() may attempt an out-of-bounds
memory access when accessing the zoned field at offset 8.
Fixes: 7fb019c46eee ("scsi: sd: Switch to using scsi_device VPD pages")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Wilck mwilck@suse.com
Link: https://lore.kernel.org/r/20240912134308.282824-1-mwilck@suse.com
Signed-off-by: Martin K. Petersen martin.petersen@oracle.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Zheng Qixing zhengqixing@huawei.com
---
 drivers/scsi/sd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 9ebf64a91586..11245bf46f85 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3118,7 +3118,7 @@ static void sd_read_block_characteristics(struct scsi_disk *sdkp)
    rcu_read_lock();
    vpd = rcu_dereference(sdkp->device->vpd_pgb1);
-	if (!vpd || vpd->len < 8) {
+	if (!vpd || vpd->len <= 8) {
    	rcu_read_unlock();
            return;
    }
-- 
2.39.2


    