Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit e18ed145c7f556f1de8350c32739bf35b26df705

Authored by Christian Engelmayer
Committed by David S. Miller
1 parent 2bf427b25b
Exists in master and in 20 other branches dlt-processor-sdk-linux-03.00.00.04, newt-ti-linux-3.12.y, processor-sdk-linux-01.00.00, processor-sdk-linux-02.00.01, smarc-ti-linux-3.12.10, smarc-ti-linux-3.12.y, smarc-ti-linux-3.14.y, smarc-ti-linux-3.15.y, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04, ti-linux-3.12.y, ti-linux-3.14.y, ti-linux-3.15.y, ti-lsk-linux-4.1.y

ide: memory overrun in ide_get_identity_ioctl() on big endian machines using ioc… 

…tl HDIO_OBSOLETE_IDENTITY

This patch fixes a memory overrun in function ide_get_identity_ioctl() which
chooses the size of a memory buffer depending on the ioctl command that led
to the function call, however, passes that buffer to a function which needs the
buffer size to be always chosen unconditionally.

Due to conditional compilation the memory overrun can only happen on big endian
machines. The error can be triggered using ioctl HDIO_OBSOLETE_IDENTITY. Usage
of ioctl HDIO_GET_IDENTITY is safe.

Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Acked-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 1 changed file with 2 additions and 1 deletions Side-by-side Diff

drivers/ide/ide-ioctls.c
Diff comments   View file @ e18ed14
... ... @@ -64,7 +64,8 @@
64 64 goto out;
65 65 }
66 66  
67   - id = kmalloc(size, GFP_KERNEL);
  67 + /* ata_id_to_hd_driveid() relies on 'id' to be fully allocated. */
  68 + id = kmalloc(ATA_ID_WORDS * 2, GFP_KERNEL);
68 69 if (id == NULL) {
69 70 rc = -ENOMEM;
70 71 goto out;