Bug/exploit in ide_taskfile

linux-ide.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Bug/exploit in ide_taskfile_ioctl() ??
@ 2005-04-13 18:55 Mark Lord
  0 siblings, 0 replies; only message in thread
From: Mark Lord @ 2005-04-13 18:55 UTC (permalink / raw)
  To: IDE/ATA development list

Hi,

I just noticed this code (below) in ide-taskfile.c.
In particular, the two lines that initialize argsptr and hobsptr
appear to be completely incorrect, and if this function is ever
invoked they stand a good chance of causing memory corruption

int ide_taskfile_ioctl (ide_drive_t *drive, unsigned int cmd, unsigned long arg)
{
         ide_task_request_t      *req_task;
         ide_task_t              args;
         u8 *outbuf              = NULL;
         u8 *inbuf               = NULL;
         task_ioreg_t *argsptr   = args.tfRegister;
         task_ioreg_t *hobsptr   = args.hobRegister;
         int err                 = 0;
   ...
         memcpy(argsptr, req_task->io_ports, HDIO_DRIVE_TASK_HDR_SIZE);
         memcpy(hobsptr, req_task->hob_ports, HDIO_DRIVE_HOB_HDR_SIZE);
   ...


I belive there's a missing '&' on both of the initialization lines.

Cheers

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2005-04-13 18:55 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-13 18:55 Bug/exploit in ide_taskfile_ioctl() ?? Mark Lord

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).