From d597314e1e561e653a9dbeafec69f20d6b372af1 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Sat, 23 Mar 2019 15:35:00 +0800 Subject: [PATCH] scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length mainline inclusion from mainline-5.1-rc1 commit db5db4b91cabcf57f3efd98d92d24ab875cde8ae category: bugfix bugzilla: 12185 CVE: NA --------------------------- Since the READ(6) and WRITE(6) commands interpret a zero in the transfer length field in the CDB as 256 logical blocks, avoid submitting such commands. conflicts: drivers/scsi/sd.c Cc: Douglas Gilbert Cc: Hannes Reinecke Cc: Christoph Hellwig Reported-by: Douglas Gilbert Signed-off-by: Bart Van Assche Reviewed-by: Douglas Gilbert Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Yufen Yu Reviewed-by: Jason Yan Signed-off-by: Yang Yingliang --- drivers/scsi/sd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 3951b26c3b6d..6e91b998147c 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -1026,6 +1026,7 @@ static int sd_setup_read_write_cmnd(struct scsi_cmnd *SCpnt) sector_t block = blk_rq_pos(rq); sector_t threshold; unsigned int this_count = blk_rq_sectors(rq); + unsigned int nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); unsigned int dif, dix; int ret; unsigned char protect; @@ -1216,6 +1217,10 @@ static int sd_setup_read_write_cmnd(struct scsi_cmnd *SCpnt) SCpnt->cmnd[7] = (unsigned char) (this_count >> 8) & 0xff; SCpnt->cmnd[8] = (unsigned char) this_count & 0xff; } else { + /* Avoid that 0 blocks gets translated into 256 blocks. */ + if (WARN_ON_ONCE(nr_blocks == 0)) + return BLK_STS_IOERR; + if (unlikely(rq->cmd_flags & REQ_FUA)) { /* * This happens only if this drive failed -- GitLab