CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the allocated buffer

CKI Backport Botrequested to merge
redhat/red-hat-ci-tools/kernel/bot-branches/centos-stream/src/kernel/centos-stream-9:backport-RHEL-81457-centos-stream-9-main into main

JIRA: https://issues.redhat.com/browse/RHEL-81457
CVE: CVE-2025-21738

commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2
Author: Niklas Cassel <cassel@kernel.org>
Date:   Mon Jan 27 16:43:04 2025 +0100

    ata: libata-sff: Ensure that we cannot write outside the allocated buffer
    
    reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len
    set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to
    ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to
    write outside the allocated buffer, overwriting random memory.
    
    While a ATA device is supposed to abort a ATA_NOP command, there does seem
    to be a bug either in libata-sff or QEMU, where either this status is not
    set, or the status is cleared before read by ata_sff_hsm_move().
    Anyway, that is most likely a separate bug.
    
    Looking at __atapi_pio_bytes(), it already has a safety check to ensure
    that __atapi_pio_bytes() cannot write outside the allocated buffer.
    
    Add a similar check to ata_pio_sector(), such that also ata_pio_sector()
    cannot write outside the allocated buffer.
    
    Cc: stable@vger.kernel.org
    Reported-by: reveliofuzzing <reveliofuzzing@gmail.com>
    Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/
    Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org
    Signed-off-by: Niklas Cassel <cassel@kernel.org>```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

---

<small>Created 2025-02-27 22:17 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small>

Merge request reports