6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianchu Chen flynnnchen@tencent.com
commit b59d4fda7e7d0aff1043a7f742487cb829f5aac1 upstream.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
new_pba comes from the status packet returned after each write. A bogus device could report values beyond the block count derived from info->capacity, letting the driver walk off the end of pba_to_lba[] and corrupt heap memory.
Reject PBAs that exceed the computed block count and fail the transfer so we avoid touching out-of-range mapping entries.
Signed-off-by: Tianchu Chen flynnnchen@tencent.com Cc: stable stable@kernel.org Link: https://patch.msgid.link/B2DC73A3EE1E3A1D+202511161322001664687@tencent.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/usb/storage/sddr55.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/usb/storage/sddr55.c +++ b/drivers/usb/storage/sddr55.c @@ -469,6 +469,12 @@ static int sddr55_write_data(struct us_d new_pba = (status[3] + (status[4] << 8) + (status[5] << 16)) >> info->blockshift;
+ /* check if device-reported new_pba is out of range */ + if (new_pba >= (info->capacity >> (info->blockshift + info->pageshift))) { + result = USB_STOR_TRANSPORT_FAILED; + goto leave; + } + /* check status for error */ if (status[0] == 0xff && status[1] == 0x4) { info->pba_to_lba[new_pba] = BAD_BLOCK;