Hello reveliofuzzing, On Wed, Jan 01, 2025 at 09:17:02PM -0500, reveliofuzzing wrote: > Hi there, > > We found an out-of-bounds write in the function ata_pio_sector, which can cause > the kernel to crash. We would like to report it for your reference. > > ## Problem in ata_pio_sector > ata_pio_sector uses the following code to decide which page to use for the I/O: > page = sg_page(qc->cursg); > offset = qc->cursg->offset + qc->cursg_ofs; > > /* get the current page and offset */ > page = nth_page(page, (offset >> PAGE_SHIFT)); > offset %= PAGE_SIZE; > but we found that `offset` could be as high as 0x5000---qc->cursg_ofs==0x5000, > qc->cursg->offset == 0x0, making `page` point to a higher-position page that > belongs to other threads. > > ## Example crash > This out-of-bound write can cause the kernel to crash at arbitrary places, > depending on when the corrupted page is accessed by the other thread. > > We found this problem can happen in Linux kernel 6.1~6.12. Here is one crash in > Linux kernel 6.1: Thank you for reporting! I assume that you haven't tested kernels earlier than 6.1? (Looking at the driver, there was no major change between 6.0 and 6.1, so this bug has probably been there for a long time.) Could you please share your reproducer and your kernel config as well? Kind regards, Niklas
