aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/ide
diff options
context:
space:
mode:
authorChristian Engelmayer <christian.engelmayer@frequentis.com>2009-06-29 19:31:41 -0700
committerDavid S. Miller <davem@davemloft.net>2009-06-29 19:31:41 -0700
commite18ed145c7f556f1de8350c32739bf35b26df705 (patch)
treea238f98c80917c37dc46dabf19a7d5510605968b /drivers/ide
parent2bf427b25b79eb7cea27963a66c3d4684cae0e0c (diff)
downloadkernel_samsung_espresso10-e18ed145c7f556f1de8350c32739bf35b26df705.zip
kernel_samsung_espresso10-e18ed145c7f556f1de8350c32739bf35b26df705.tar.gz
kernel_samsung_espresso10-e18ed145c7f556f1de8350c32739bf35b26df705.tar.bz2
ide: memory overrun in ide_get_identity_ioctl() on big endian machines using ioctl HDIO_OBSOLETE_IDENTITY
This patch fixes a memory overrun in function ide_get_identity_ioctl() which chooses the size of a memory buffer depending on the ioctl command that led to the function call, however, passes that buffer to a function which needs the buffer size to be always chosen unconditionally. Due to conditional compilation the memory overrun can only happen on big endian machines. The error can be triggered using ioctl HDIO_OBSOLETE_IDENTITY. Usage of ioctl HDIO_GET_IDENTITY is safe. Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com> Acked-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/ide')
-rw-r--r--drivers/ide/ide-ioctls.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/ide/ide-ioctls.c b/drivers/ide/ide-ioctls.c
index 82f252c..e246d3d 100644
--- a/drivers/ide/ide-ioctls.c
+++ b/drivers/ide/ide-ioctls.c
@@ -64,7 +64,8 @@ static int ide_get_identity_ioctl(ide_drive_t *drive, unsigned int cmd,
goto out;
}
- id = kmalloc(size, GFP_KERNEL);
+ /* ata_id_to_hd_driveid() relies on 'id' to be fully allocated. */
+ id = kmalloc(ATA_ID_WORDS * 2, GFP_KERNEL);
if (id == NULL) {
rc = -ENOMEM;
goto out;