/[linux-patches]/genpatches-2.6/trunk/2.6.14/1460_15.5_sd-memory-corruption.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.14/1460_15.5_sd-memory-corruption.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 328 - (show annotations) (download) (as text)
Tue Mar 14 13:34:17 2006 UTC (14 years, 8 months ago) by johnm
File MIME type: text/x-diff
File size: 3099 byte(s)
2.6.14-11, rebase against local tree
1 From: Stefan Richter <stefanr@s5r6.in-berlin.de>
2 Date: Sun, 26 Feb 2006 23:16:10 +0000 (+0100)
3 Subject: [PATCH] sd: fix memory corruption with broken mode page headers
4 X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/linux-2.6.15.y.git;a=commitdiff;h=ed26c7781107e4d8fd0c654459e61b81096c4ff4
5
6 [PATCH] sd: fix memory corruption with broken mode page headers
7
8 sd: fix memory corruption with broken mode page headers
9
10 There's a problem in sd where we blindly believe the length of the
11 headers and block descriptors. Some devices return insane values for
12 these and cause our length to end up greater than the actual buffer
13 size, so check to make sure.
14
15 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
16
17 Also removed the buffer size magic number (512) and added DPOFUA of
18 zero to the defaults
19
20 Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
21 Signed-off-by: Linus Torvalds <torvalds@osdl.org>
22
23 rediff for 2.6.15.x without DPOFUA bit, taken from commit
24 489708007785389941a89fa06aedc5ec53303c96
25
26 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
27 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
28 ---
29
30 --- a/drivers/scsi/sd.c
31 +++ b/drivers/scsi/sd.c
32 @@ -88,6 +88,11 @@
33 #define SD_MAX_RETRIES 5
34 #define SD_PASSTHROUGH_RETRIES 1
35
36 +/*
37 + * Size of the initial data buffer for mode and read capacity data
38 + */
39 +#define SD_BUF_SIZE 512
40 +
41 static void scsi_disk_release(struct kref *kref);
42
43 struct scsi_disk {
44 @@ -1299,7 +1304,7 @@ sd_do_mode_sense(struct scsi_device *sdp
45
46 /*
47 * read write protect setting, if possible - called only in sd_revalidate_disk()
48 - * called with buffer of length 512
49 + * called with buffer of length SD_BUF_SIZE
50 */
51 static void
52 sd_read_write_protect_flag(struct scsi_disk *sdkp, char *diskname,
53 @@ -1357,7 +1362,7 @@ sd_read_write_protect_flag(struct scsi_d
54
55 /*
56 * sd_read_cache_type - called only from sd_revalidate_disk()
57 - * called with buffer of length 512
58 + * called with buffer of length SD_BUF_SIZE
59 */
60 static void
61 sd_read_cache_type(struct scsi_disk *sdkp, char *diskname,
62 @@ -1402,6 +1407,8 @@ sd_read_cache_type(struct scsi_disk *sdk
63
64 /* Take headers and block descriptors into account */
65 len += data.header_length + data.block_descriptor_length;
66 + if (len > SD_BUF_SIZE)
67 + goto bad_sense;
68
69 /* Get the data */
70 res = sd_do_mode_sense(sdp, dbd, modepage, buffer, len, &data, &sshdr);
71 @@ -1414,6 +1421,12 @@ sd_read_cache_type(struct scsi_disk *sdk
72 int ct = 0;
73 int offset = data.header_length + data.block_descriptor_length;
74
75 + if (offset >= SD_BUF_SIZE - 2) {
76 + printk(KERN_ERR "%s: malformed MODE SENSE response",
77 + diskname);
78 + goto defaults;
79 + }
80 +
81 if ((buffer[offset] & 0x3f) != modepage) {
82 printk(KERN_ERR "%s: got wrong page\n", diskname);
83 goto defaults;
84 @@ -1472,7 +1485,7 @@ static int sd_revalidate_disk(struct gen
85 if (!scsi_device_online(sdp))
86 goto out;
87
88 - buffer = kmalloc(512, GFP_KERNEL | __GFP_DMA);
89 + buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL | __GFP_DMA);
90 if (!buffer) {
91 printk(KERN_WARNING "(sd_revalidate_disk:) Memory allocation "
92 "failure.\n");

  ViewVC Help
Powered by ViewVC 1.1.20