On Sunday 21 June 2009 00:04:23 Christian Engelmayer wrote:
> From: Christian Engelmayer <christian.engelmayer@xxxxxxxxxxxxxx>
>
> This patch fixes a memory overrun in function ide_get_identity_ioctl() which
> chooses the size of a memory buffer depending on the ioctl command that led
> to the function call, however, passes that buffer to a function which needs the
> buffer size to be always chosen unconditionally.
>
> Due to conditional compilation the memory overrun can only happen on big endian
> machines. The error can be triggered using ioctl HDIO_OBSOLETE_IDENTITY. Usage
> of ioctl HDIO_GET_IDENTITY is safe.
>
> Signed-off-by: Christian Engelmayer <christian.engelmayer@xxxxxxxxxxxxxx>
Acked-by: Bartlomiej Zolnierkiewicz <bzolnier@xxxxxxxxx>
> --
> Proposed patch after comment by Robert Hancock who shares the view that buffer
> 'id' should be allocated unconditionally.
>
> --- drivers/ide/ide-ioctls.c.orig 2009-06-20 23:22:45.000000000 +0200
> +++ drivers/ide/ide-ioctls.c 2009-06-20 23:30:21.000000000 +0200
> @@ -64,7 +64,8 @@ static int ide_get_identity_ioctl(ide_dr
> goto out;
> }
>
> - id = kmalloc(size, GFP_KERNEL);
> + /* ata_id_to_hd_driveid() relies on 'id' to be fully allocated. */
> + id = kmalloc(ATA_ID_WORDS * 2, GFP_KERNEL);
> if (id == NULL) {
> rc = -ENOMEM;
> goto out;
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
