From e85b6eb478bc7d6ea75a97a6cacd8bb2ad6eeed4 Mon Sep 17 00:00:00 2001 From: Tianchu Chen Date: Wed, 17 Dec 2025 06:52:13 +0000 Subject: [PATCH] usb: storage: sddr55: Reject out-of-bound new_pba stable inclusion from stable-v6.6.119 commit 04a8a6393f3f2f471e05eacca33282dd30b01432 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDCQJA CVE: CVE-2025-40345 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=04a8a6393f3f2f471e05eacca33282dd30b01432 ---------------------------------------------------------------------- commit b59d4fda7e7d0aff1043a7f742487cb829f5aac1 upstream. Discovered by Atuin - Automated Vulnerability Discovery Engine. new_pba comes from the status packet returned after each write. A bogus device could report values beyond the block count derived from info->capacity, letting the driver walk off the end of pba_to_lba[] and corrupt heap memory. Reject PBAs that exceed the computed block count and fail the transfer so we avoid touching out-of-range mapping entries. Signed-off-by: Tianchu Chen Cc: stable Link: https://patch.msgid.link/B2DC73A3EE1E3A1D+202511161322001664687@tencent.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Luo Gengkun --- drivers/usb/storage/sddr55.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/storage/sddr55.c b/drivers/usb/storage/sddr55.c index 15dc25801cdc..f53b2471a21c 100644 --- a/drivers/usb/storage/sddr55.c +++ b/drivers/usb/storage/sddr55.c @@ -469,6 +469,12 @@ static int sddr55_write_data(struct us_data *us, new_pba = (status[3] + (status[4] << 8) + (status[5] << 16)) >> info->blockshift; + /* check if device-reported new_pba is out of range */ + if (new_pba >= (info->capacity >> (info->blockshift + info->pageshift))) { + result = USB_STOR_TRANSPORT_FAILED; + goto leave; + } + /* check status for error */ if (status[0] == 0xff && status[1] == 0x4) { info->pba_to_lba[new_pba] = BAD_BLOCK; -- Gitee