Commit 9de9f63e authored by Dan Carpenter's avatar Dan Carpenter Committed by Stefan Bader

libata: zpodd: small read overflow in eject_tray()

BugLink: https://bugs.launchpad.net/bugs/1784382

commit 18c9a99b upstream.

We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Fixes: 21334205 ("libata: handle power transition of ODD")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent 5d00b81e
...@@ -34,7 +34,7 @@ struct zpodd { ...@@ -34,7 +34,7 @@ struct zpodd {
static int eject_tray(struct ata_device *dev) static int eject_tray(struct ata_device *dev)
{ {
struct ata_taskfile tf; struct ata_taskfile tf;
static const char cdb[] = { GPCMD_START_STOP_UNIT, static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT,
0, 0, 0, 0, 0, 0,
0x02, /* LoEj */ 0x02, /* LoEj */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment