On Sunday 21 June 2009 00:04:23 Christian Engelmayer wrote: > From: Christian Engelmayer <christian.engelmayer@xxxxxxxxxxxxxx> > > This patch fixes a memory overrun in function ide_get_identity_ioctl() which > chooses the size of a memory buffer depending on the ioctl command that led > to the function call, however, passes that buffer to a function which needs the > buffer size to be always chosen unconditionally. > > Due to conditional compilation the memory overrun can only happen on big endian > machines. The error can be triggered using ioctl HDIO_OBSOLETE_IDENTITY. Usage > of ioctl HDIO_GET_IDENTITY is safe. > > Signed-off-by: Christian Engelmayer <christian.engelmayer@xxxxxxxxxxxxxx> Acked-by: Bartlomiej Zolnierkiewicz <bzolnier@xxxxxxxxx> > -- > Proposed patch after comment by Robert Hancock who shares the view that buffer > 'id' should be allocated unconditionally. > > --- drivers/ide/ide-ioctls.c.orig 2009-06-20 23:22:45.000000000 +0200 > +++ drivers/ide/ide-ioctls.c 2009-06-20 23:30:21.000000000 +0200 > @@ -64,7 +64,8 @@ static int ide_get_identity_ioctl(ide_dr > goto out; > } > > - id = kmalloc(size, GFP_KERNEL); > + /* ata_id_to_hd_driveid() relies on 'id' to be fully allocated. */ > + id = kmalloc(ATA_ID_WORDS * 2, GFP_KERNEL); > if (id == NULL) { > rc = -ENOMEM; > goto out; -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html