Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:ata: libata-sff: Ensure that we cannot write outside the allocated bufferreveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_lenset to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set toATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() towrite outside the allocated buffer, overwriting random memory.While a ATA device is supposed to abort a ATA_NOP command, there does seemto be a bug either in libata-sff or QEMU, where either this status is notset, or the status is cleared before read by ata_sff_hsm_move().Anyway, that is most likely a separate bug.Looking at __atapi_pio_bytes(), it already has a safety check to ensurethat __atapi_pio_bytes() cannot write outside the allocated buffer.Add a similar check to ata_pio_sector(), such that also ata_pio_sector()cannot write outside the allocated buffer.
No PoCs from references.
- https://github.com/w4zu/Debian_security