scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since the READ(6) and WRITE(6) commands interpret a zero in the transfer
length field in the CDB as 256 logical blocks, avoid submitting such
commands.

Cc: Douglas Gilbert <dgilbert@interlog.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Reported-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

Bart Van Assche and committed by

Martin K. Petersen 7 years ago db5db4b9 59abc8cc

1 changed file

expand all

drivers

scsi

sd.c

drivers/scsi/sd.c

··· 1128 1128 sector_t lba, unsigned int nr_blocks, 1129 1129 unsigned char flags) 1130 1130 { 1131 + /* Avoid that 0 blocks gets translated into 256 blocks. */ 1132 + if (WARN_ON_ONCE(nr_blocks == 0)) 1133 + return BLK_STS_IOERR; 1134 + 1131 1135 if (unlikely(flags & 0x8)) { 1132 1136 /* 1133 1137 * This happens only if this drive failed 10byte rw