On 06/19/2009 12:41 AM, Christian Engelmayer wrote:
Please have a look at the usage of ata_id_to_hd_driveid() in ide-ioctls.c. u16 array 'id' is allocated depending on the command, which might result in 142 byte. Indexing into the array at position 'ATA_ID_LBA_CAPACITY_2' in ata_id_to_hd_driveid() would overrun the allocated memory in that case.
Looks like ata_id_to_hd_driveid assumes the id memory is fully allocated, which seems a reasonable assumption. ide_get_identity_ioctl should likely allocate the full ATA_ID_WORDS * 2 unconditionally even if only part of it is used.
Regards, Christian ide-ioctls.c: static int ide_get_identity_ioctl(ide_drive_t *drive, unsigned int cmd, unsigned long arg) u16 *id = NULL; int size = (cmd == HDIO_GET_IDENTITY) ? (ATA_ID_WORDS * 2) : 142; .. id = kmalloc(size, GFP_KERNEL); .. ata_id_to_hd_driveid(id); .. ata.h: static inline void ata_id_to_hd_driveid(u16 *id) { #ifdef __BIG_ENDIAN .. *(u64 *)&id[ATA_ID_LBA_CAPACITY_2] = ata_id_u64(id, ATA_ID_LBA_CAPACITY_2); -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
-- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html