usb: storage: sddr55: Reject out-of-bound new_pba

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Discovered by Atuin - Automated Vulnerability Discovery Engine.

new_pba comes from the status packet returned after each write.
A bogus device could report values beyond the block count derived
from info->capacity, letting the driver walk off the end of
pba_to_lba[] and corrupt heap memory.

Reject PBAs that exceed the computed block count and fail the
transfer so we avoid touching out-of-range mapping entries.

Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/B2DC73A3EE1E3A1D+202511161322001664687@tencent.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Tianchu Chen and committed by

Greg Kroah-Hartman 4 months ago b59d4fda 2e558d86

1 changed file

expand all

drivers

usb

storage

sddr55.c

drivers/usb/storage/sddr55.c

··· 469 469 new_pba = (status[3] + (status[4] << 8) + (status[5] << 16)) 470 470 >> info->blockshift; 471 471 472 + /* check if device-reported new_pba is out of range */ 473 + if (new_pba >= (info->capacity >> (info->blockshift + info->pageshift))) { 474 + result = USB_STOR_TRANSPORT_FAILED; 475 + goto leave; 476 + } 477 + 472 478 /* check status for error */ 473 479 if (status[0] == 0xff && status[1] == 0x4) { 474 480 info->pba_to_lba[new_pba] = BAD_BLOCK;