Description
In the Linux kernel, the following vulnerability has been resolved: ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS UBSAN complains about array-index-out-of-bounds: [ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41 [ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]' [ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu [ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010 [ 1.980718] kernel: Call Trace: [ 1.980721] kernel: <TASK> [ 1.980723] kernel: show_stack+0x52/0x58 [ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f [ 1.980734] kernel: dump_stack+0x10/0x12 [ 1.980736] kernel: ubsan_epilogue+0x9/0x45 [ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49 [ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci] [ 1.980748] kernel: ata_qc_issue+0x135/0x240 [ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580 [ 1.980754] kernel: ? vprintk_default+0x1d/0x20 [ 1.980759] kernel: ata_exec_internal+0x67/0xa0 [ 1.980762] kernel: sata_pmp_read+0x8d/0xc0 [ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90 [ 1.980768] kernel: sata_pmp_attach+0x8b/0x310 [ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0 [ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30 [ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci] [ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci] [ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci] [ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0 [ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560 [ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40 [ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci] [ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600 [ 1.980810] kernel: ata_scsi_error+0x9c/0xd0 [ 1.980813] kernel: scsi_error_handler+0xa1/0x180 [ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0 [ 1.980820] kernel: kthread+0x12a/0x150 [ 1.980823] kernel: ? set_kthread_struct+0x50/0x50 [ 1.980826] kernel: ret_from_fork+0x22/0x30 [ 1.980831] kernel: </TASK> This happens because sata_pmp_init_links() initialize link->pmp up to SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array. I can't find the maximum Enclosure Management ports specified in AHCI spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier Information" can utilize 4 bits, which implies it can support up to 16 ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the issue. BugLink: https://bugs.launchpad.net/bugs/1970074
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before f70bd4339cb68bc7e206af4c922bc0d249244403
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before da2ea4a961d9f89ed248734e7032350c260dc3a3
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 67a00c299c5c143817c948fbc7de1a2fa1af38fb
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 383b7c50f5445ff8dbbf03080905648d6980c39d
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 303d0f761431d848dd8d7ff9fd9b8c101879cabe
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 8fbe13de1cc7cef2564be3cbf60400b33eee023b
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before d6314d5f68764550c84d732ce901ddd3ac6b415f
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 1e41e693f458eef2d5728207dbd327cd3b16580a
4.9.332 (semver)
4.14.298 (semver)
4.19.264 (semver)
5.4.221 (semver)
5.10.152 (semver)
5.15.76 (semver)
6.0.6 (semver)
6.1 (original_commit_for_fix)
References
git.kernel.org/...c/f70bd4339cb68bc7e206af4c922bc0d249244403
git.kernel.org/...c/da2ea4a961d9f89ed248734e7032350c260dc3a3
git.kernel.org/...c/67a00c299c5c143817c948fbc7de1a2fa1af38fb
git.kernel.org/...c/383b7c50f5445ff8dbbf03080905648d6980c39d
git.kernel.org/...c/303d0f761431d848dd8d7ff9fd9b8c101879cabe
git.kernel.org/...c/8fbe13de1cc7cef2564be3cbf60400b33eee023b
git.kernel.org/...c/d6314d5f68764550c84d732ce901ddd3ac6b415f
git.kernel.org/...c/1e41e693f458eef2d5728207dbd327cd3b16580a
