libata: zpodd: small read overflow in eject_tray()
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 29 May 2018 09:13:24 +0000 (12:13 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 26 Jun 2018 00:06:32 +0000 (08:06 +0800)
commit 18c9a99bce2a57dfd7e881658703b5d7469cc7b9 upstream.

We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Fixes: 213342053db5 ("libata: handle power transition of ODD")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/ata/libata-zpodd.c

index de4ddd0e8550a66dac6856099180bc59dc622d05..b3ed8f9953a862ea3ae67ef065ca5469330a44e0 100644 (file)
@@ -35,7 +35,7 @@ struct zpodd {
 static int eject_tray(struct ata_device *dev)
 {
        struct ata_taskfile tf;
-       static const char cdb[] = {  GPCMD_START_STOP_UNIT,
+       static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_START_STOP_UNIT,
                0, 0, 0,
                0x02,     /* LoEj */
                0, 0, 0, 0, 0, 0, 0,