Re: [PATCH 1/1] ide: memory overrun in ide_get_identity_ioctl() on big endian machines using ioctl HDIO_OBSOLETE_IDENTITY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday 21 June 2009 00:04:23 Christian Engelmayer wrote:
> From: Christian Engelmayer <christian.engelmayer@xxxxxxxxxxxxxx>
> 
> This patch fixes a memory overrun in function ide_get_identity_ioctl() which
> chooses the size of a memory buffer depending on the ioctl command that led
> to the function call, however, passes that buffer to a function which needs the
> buffer size to be always chosen unconditionally.
> 
> Due to conditional compilation the memory overrun can only happen on big endian
> machines. The error can be triggered using ioctl HDIO_OBSOLETE_IDENTITY. Usage
> of ioctl HDIO_GET_IDENTITY is safe.
> 
> Signed-off-by: Christian Engelmayer <christian.engelmayer@xxxxxxxxxxxxxx>

Acked-by: Bartlomiej Zolnierkiewicz <bzolnier@xxxxxxxxx>

> --
> Proposed patch after comment by Robert Hancock who shares the view that buffer
> 'id' should be allocated unconditionally.
> 
> --- drivers/ide/ide-ioctls.c.orig	2009-06-20 23:22:45.000000000 +0200
> +++ drivers/ide/ide-ioctls.c	2009-06-20 23:30:21.000000000 +0200
> @@ -64,7 +64,8 @@ static int ide_get_identity_ioctl(ide_dr
>  		goto out;
>  	}
>  
> -	id = kmalloc(size, GFP_KERNEL);
> +	/* ata_id_to_hd_driveid() relies on 'id' to be fully allocated. */
> +	id = kmalloc(ATA_ID_WORDS * 2, GFP_KERNEL);
>  	if (id == NULL) {
>  		rc = -ENOMEM;
>  		goto out;
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Filesystems]     [Linux SCSI]     [Linux RAID]     [Git]     [Kernel Newbies]     [Linux Newbie]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Samba]     [Device Mapper]

  Powered by Linux