CVE-2022-50315

In the Linux kernel, the following vulnerability has been resolved:

ata: ahci: Match EMMAXSLOTS with SATAPMPMAX_PORTS

UBSAN complains about array-index-out-of-bounds: [ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41 [ 1.980709] kernel: index 15 is out of range for type 'ahciempriv [8]' [ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsieh8 Not tainted 5.15.0-25-generic #25-Ubuntu [ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010 [ 1.980718] kernel: Call Trace: [ 1.980721] kernel: <TASK> [ 1.980723] kernel: showstack+0x52/0x58 [ 1.980729] kernel: dumpstacklvl+0x4a/0x5f [ 1.980734] kernel: dumpstack+0x10/0x12 [ 1.980736] kernel: ubsan_epilogue+0x9/0x45 [ 1.980739] kernel: _ubsanhandleoutofbounds.cold+0x44/0x49 [ 1.980742] kernel: ahciqcissue+0x166/0x170 [libahci] [ 1.980748] kernel: ataqcissue+0x135/0x240 [ 1.980752] kernel: ataexecinternalsg+0x2c4/0x580 [ 1.980754] kernel: ? vprintkdefault+0x1d/0x20 [ 1.980759] kernel: ataexecinternal+0x67/0xa0 [ 1.980762] kernel: satapmpread+0x8d/0xc0 [ 1.980765] kernel: satapmpreadgscr+0x3c/0x90 [ 1.980768] kernel: satapmpattach+0x8b/0x310 [ 1.980771] kernel: ataehrevalidateandattach+0x28c/0x4b0 [ 1.980775] kernel: ataehrecover+0x6b6/0xb30 [ 1.980778] kernel: ? ahcidohardreset+0x180/0x180 [libahci] [ 1.980783] kernel: ? ahcistopengine+0xb0/0xb0 [libahci] [ 1.980787] kernel: ? ahcidosoftreset+0x290/0x290 [libahci] [ 1.980792] kernel: ? traceeventraweventataehlinkautopsyqc+0xe0/0xe0 [ 1.980795] kernel: satapmpehrecover.isra.0+0x214/0x560 [ 1.980799] kernel: satapmperrorhandler+0x23/0x40 [ 1.980802] kernel: ahcierrorhandler+0x43/0x80 [libahci] [ 1.980806] kernel: atascsiporterrorhandler+0x2b1/0x600 [ 1.980810] kernel: atascsierror+0x9c/0xd0 [ 1.980813] kernel: scsierrorhandler+0xa1/0x180 [ 1.980817] kernel: ? scsiunjamhost+0x1c0/0x1c0 [ 1.980820] kernel: kthread+0x12a/0x150 [ 1.980823] kernel: ? setkthreadstruct+0x50/0x50 [ 1.980826] kernel: retfromfork+0x22/0x30 [ 1.980831] kernel: </TASK>

This happens because satapmpinitlinks() initialize link->pmp up to SATAPMPMAXPORTS while em_priv is declared as 8 elements array.

I can't find the maximum Enclosure Management ports specified in AHCI spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier Information" can utilize 4 bits, which implies it can support up to 16 ports. Hence, use SATAPMPMAXPORTS as EMMAX_SLOTS to resolve the issue.

BugLink: https://bugs.launchpad.net/bugs/1970074