From 4a704a0ad95973249544f3f95e30e328e701a871 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Tue, 17 Aug 2021 00:05:17 +0200
Subject: block: Look out for disk sector number overflow

* linux/dev/drivers/block/ahci.c (ahci_do_port_request): Reject sectors
beyond LBA48 or LBA28.
* linux/dev/glue/block.c (check_rw_block): New function.
(rdwr_partial, rdwr_full): Use check_rw_block to reject block number
overflows.
* linux/src/drivers/block/ide.c (do_rw_disk): Reject sectors beyond
LBA28 or CHS.
---
 linux/src/drivers/block/ide.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'linux/src')

diff --git a/linux/src/drivers/block/ide.c b/linux/src/drivers/block/ide.c
index 170e4e13..2d0fc77e 100644
--- a/linux/src/drivers/block/ide.c
+++ b/linux/src/drivers/block/ide.c
@@ -1475,6 +1475,11 @@ static inline void do_rw_disk (ide_drive_t *drive, struct request *rq, unsigned
 #else /* !CONFIG_BLK_DEV_PROMISE */
 	if (drive->select.b.lba) {
 #endif /* CONFIG_BLK_DEV_PROMISE */
+		if (block >= 1UL << 28) {
+			printk("block %lu beyond LBA28\n", block);
+			ide_end_request(0, hwif->hwgroup);
+			return;
+		}
 #ifdef DEBUG
 		printk("%s: %sing: LBAsect=%ld, sectors=%ld, buffer=0x%08lx\n",
 			drive->name, (rq->cmd==READ)?"read":"writ",
@@ -1491,6 +1496,13 @@ static inline void do_rw_disk (ide_drive_t *drive, struct request *rq, unsigned
 		OUT_BYTE(sect,io_base+IDE_SECTOR_OFFSET);
 		head  = track % drive->head;
 		cyl   = track / drive->head;
+
+		if (cyl >= 1 << 16) {
+			printk("block %lu cylinder %u beyond CHS\n", block, cyl);
+			ide_end_request(0, hwif->hwgroup);
+			return;
+		}
+
 		OUT_BYTE(cyl,io_base+IDE_LCYL_OFFSET);
 		OUT_BYTE(cyl>>8,io_base+IDE_HCYL_OFFSET);
 		OUT_BYTE(head|drive->select.all,io_base+IDE_SELECT_OFFSET);
-- 
cgit v1.2.3