SCSI: sd: Fix potential out-of-bounds access
authorAlan Stern <stern@rowland.harvard.edu>
Fri, 6 Sep 2013 15:49:51 +0000 (11:49 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 27 Sep 2013 00:18:01 +0000 (17:18 -0700)
commit13915e203f991e77eb5a52bcd4c61e5f155e3bbc
tree83975360e6a2ef273787c002282cb3a483a6607d
parente7d63334e76b3cbb0ef599fef1643701fdb28aad
SCSI: sd: Fix potential out-of-bounds access

commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream.

This patch fixes an out-of-bounds error in sd_read_cache_type(), found
by Google's AddressSanitizer tool.  When the loop ends, we know that
"offset" lies beyond the end of the data in the buffer, so no Caching
mode page was found.  In theory it may be present, but the buffer size
is limited to 512 bytes.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/scsi/sd.c