On 06/19/2009 12:41 AM, Christian Engelmayer wrote:
Please have a look at the usage of ata_id_to_hd_driveid() in ide-ioctls.c.
u16 array 'id' is allocated depending on the command, which might result in
142 byte. Indexing into the array at position 'ATA_ID_LBA_CAPACITY_2' in
ata_id_to_hd_driveid() would overrun the allocated memory in that case.
Looks like ata_id_to_hd_driveid assumes the id memory is fully
allocated, which seems a reasonable assumption. ide_get_identity_ioctl
should likely allocate the full ATA_ID_WORDS * 2 unconditionally even if
only part of it is used.
Regards,
Christian
ide-ioctls.c:
static int ide_get_identity_ioctl(ide_drive_t *drive, unsigned int cmd,
unsigned long arg)
u16 *id = NULL;
int size = (cmd == HDIO_GET_IDENTITY) ? (ATA_ID_WORDS * 2) : 142;
..
id = kmalloc(size, GFP_KERNEL);
..
ata_id_to_hd_driveid(id);
..
ata.h:
static inline void ata_id_to_hd_driveid(u16 *id)
{
#ifdef __BIG_ENDIAN
..
*(u64 *)&id[ATA_ID_LBA_CAPACITY_2] =
ata_id_u64(id, ATA_ID_LBA_CAPACITY_2);
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
