Commit b59d4fda authored Nov 16, 2025 by Tianchu Chen Committed by Greg Kroah-Hartman Nov 21, 2025

usb: storage: sddr55: Reject out-of-bound new_pba



Discovered by Atuin - Automated Vulnerability Discovery Engine.

new_pba comes from the status packet returned after each write.
A bogus device could report values beyond the block count derived
from info->capacity, letting the driver walk off the end of
pba_to_lba[] and corrupt heap memory.

Reject PBAs that exceed the computed block count and fail the
transfer so we avoid touching out-of-range mapping entries.

Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/B2DC73A3EE1E3A1D+202511161322001664687@tencent.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 2e558d86

drivers/usb/storage/sddr55.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -469,6 +469,12 @@ static int sddr55_write_data(struct us_data *us,
		new_pba = (status[3] + (status[4] << 8) + (status[5] << 16))
		>> info->blockshift;

		/* check if device-reported new_pba is out of range */
		if (new_pba >= (info->capacity >> (info->blockshift + info->pageshift))) {
		result = USB_STOR_TRANSPORT_FAILED;
		goto leave;
		}

		/* check status for error */
		if (status[0] == 0xff && status[1] == 0x4) {
		info->pba_to_lba[new_pba] = BAD_BLOCK;