scsi: sr: Sanity check returned mode data

commit a00a7862513089f17209b732f230922f1942e0b9 upstream.

Kefeng Wang discovered that old versions of the QEMU CD driver would
return mangled mode data causing us to walk off the end of the buffer in
an attempt to parse it. Sanity check the returned mode sense data.

Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Tested-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 4 insertions, 2 deletions

diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index bed2bbd6b923..e63597342c96 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -833,6 +833,7 @@ static void get_capabilities(struct scsi_cd *cd)
         unsigned char *buffer;
         struct scsi_mode_data data;
         struct scsi_sense_hdr sshdr;
+        unsigned int ms_len = 128;
         int rc, n;
 
         static const char *loadmech[] =
@@ -859,10 +860,11 @@ static void get_capabilities(struct scsi_cd *cd)
         scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr);
 
         /* ask for mode page 0x2a */
-        rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, 128,
+        rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, ms_len,
                              SR_TIMEOUT, 3, &data, NULL);
 
-        if (!scsi_status_is_good(rc)) {
+        if (!scsi_status_is_good(rc) || data.length > ms_len ||
+            data.header_length + data.block_descriptor_length > data.length) {
                 /* failed, drive doesn't have capabilities mode page */
                 cd->cdi.speed = 1;
                 cd->cdi.mask |= (CDC_CD_R | CDC_CD_RW | CDC_DVD_R |