From: Robert Hancock <hancockrwd@gmail.com>
To: Christian Engelmayer <christian.engelmayer@frequentis.com>
Cc: bzolnier@gmail.com, linux-ide@vger.kernel.org
Subject: Re: potential memory overrun in ata_id_to_hd_driveid() on big endian machines
Date: Sat, 20 Jun 2009 15:05:49 -0600 [thread overview]
Message-ID: <4A3D4F2D.7030906@gmail.com> (raw)
In-Reply-To: <20090619084105.4cdf78be@frequentis.com>
On 06/19/2009 12:41 AM, Christian Engelmayer wrote:
> Please have a look at the usage of ata_id_to_hd_driveid() in ide-ioctls.c.
>
> u16 array 'id' is allocated depending on the command, which might result in
> 142 byte. Indexing into the array at position 'ATA_ID_LBA_CAPACITY_2' in
> ata_id_to_hd_driveid() would overrun the allocated memory in that case.
Looks like ata_id_to_hd_driveid assumes the id memory is fully
allocated, which seems a reasonable assumption. ide_get_identity_ioctl
should likely allocate the full ATA_ID_WORDS * 2 unconditionally even if
only part of it is used.
>
> Regards,
> Christian
>
> ide-ioctls.c:
>
> static int ide_get_identity_ioctl(ide_drive_t *drive, unsigned int cmd,
> unsigned long arg)
>
> u16 *id = NULL;
> int size = (cmd == HDIO_GET_IDENTITY) ? (ATA_ID_WORDS * 2) : 142;
>
> ..
>
> id = kmalloc(size, GFP_KERNEL);
>
> ..
>
> ata_id_to_hd_driveid(id);
>
> ..
>
> ata.h:
>
> static inline void ata_id_to_hd_driveid(u16 *id)
> {
> #ifdef __BIG_ENDIAN
>
> ..
>
> *(u64 *)&id[ATA_ID_LBA_CAPACITY_2] =
> ata_id_u64(id, ATA_ID_LBA_CAPACITY_2);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ide" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2009-06-20 21:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-19 6:41 potential memory overrun in ata_id_to_hd_driveid() on big endian machines Christian Engelmayer
2009-06-20 21:05 ` Robert Hancock [this message]
2009-06-20 22:04 ` [PATCH 1/1] ide: memory overrun in ide_get_identity_ioctl() on big endian machines using ioctl HDIO_OBSOLETE_IDENTITY Christian Engelmayer
2009-06-22 9:49 ` Bartlomiej Zolnierkiewicz
2009-06-30 2:31 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A3D4F2D.7030906@gmail.com \
--to=hancockrwd@gmail.com \
--cc=bzolnier@gmail.com \
--cc=christian.engelmayer@frequentis.com \
--cc=linux-ide@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.