usb: storage: sddr55: Reject out-of-bound new_pba

Discovered by Atuin - Automated Vulnerability Discovery Engine.

new_pba comes from the status packet returned after each write.
A bogus device could report values beyond the block count derived
from info->capacity, letting the driver walk off the end of
pba_to_lba[] and corrupt heap memory.

Reject PBAs that exceed the computed block count and fail the
transfer so we avoid touching out-of-range mapping entries.

Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/B2DC73A3EE1E3A1D+202511161322001664687@tencent.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/storage/sddr55.c b/drivers/usb/storage/sddr55.c
index b323f0a3626031905b946ce64ddf04539a6e3232..9d813727e65f1e04e8992e4936b485aa44b2b9be 100644 (file)
--- a/drivers/usb/storage/sddr55.c
+++ b/drivers/usb/storage/sddr55.c
@@ -469,6 +469,12 @@ static int sddr55_write_data(struct us_data *us,
                new_pba = (status[3] + (status[4] << 8) + (status[5] << 16))
                                                  >> info->blockshift;
 
+               /* check if device-reported new_pba is out of range */
+               if (new_pba >= (info->capacity >> (info->blockshift + info->pageshift))) {
+                       result = USB_STOR_TRANSPORT_FAILED;
+                       goto leave;
+               }
+
                /* check status for error */
                if (status[0] == 0xff && status[1] == 0x4) {
                        info->pba_to_lba[new_pba] = BAD_BLOCK;