CVE-2022-50315

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS<br /> <br /> UBSAN complains about array-index-out-of-bounds:<br /> [ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41<br /> [ 1.980709] kernel: index 15 is out of range for type &amp;#39;ahci_em_priv [8]&amp;#39;<br /> [ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu<br /> [ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010<br /> [ 1.980718] kernel: Call Trace:<br /> [ 1.980721] kernel: <br /> [ 1.980723] kernel: show_stack+0x52/0x58<br /> [ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f<br /> [ 1.980734] kernel: dump_stack+0x10/0x12<br /> [ 1.980736] kernel: ubsan_epilogue+0x9/0x45<br /> [ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49<br /> [ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci]<br /> [ 1.980748] kernel: ata_qc_issue+0x135/0x240<br /> [ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580<br /> [ 1.980754] kernel: ? vprintk_default+0x1d/0x20<br /> [ 1.980759] kernel: ata_exec_internal+0x67/0xa0<br /> [ 1.980762] kernel: sata_pmp_read+0x8d/0xc0<br /> [ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90<br /> [ 1.980768] kernel: sata_pmp_attach+0x8b/0x310<br /> [ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0<br /> [ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30<br /> [ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci]<br /> [ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci]<br /> [ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci]<br /> [ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0<br /> [ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560<br /> [ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40<br /> [ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci]<br /> [ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600<br /> [ 1.980810] kernel: ata_scsi_error+0x9c/0xd0<br /> [ 1.980813] kernel: scsi_error_handler+0xa1/0x180<br /> [ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0<br /> [ 1.980820] kernel: kthread+0x12a/0x150<br /> [ 1.980823] kernel: ? set_kthread_struct+0x50/0x50<br /> [ 1.980826] kernel: ret_from_fork+0x22/0x30<br /> [ 1.980831] kernel: <br /> <br /> This happens because sata_pmp_init_links() initialize link-&gt;pmp up to<br /> SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array.<br /> <br /> I can&amp;#39;t find the maximum Enclosure Management ports specified in AHCI<br /> spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier<br /> Information" can utilize 4 bits, which implies it can support up to 16<br /> ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the<br /> issue.<br /> <br /> BugLink: https://bugs.launchpad.net/bugs/1970074