Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-11296

DataBuffer out of bounds access in uniata!AtapiInterrupt__

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Fix Version/s: None
    • Component/s: Drivers
    • Labels:

      Description

      In CORE-11286 we saw memory corruption caused by an out of bounds access of the SRB's data buffer.
      The code in question does the following:

                          // Work around to make many atapi devices return correct sector size
                          // of 2048. Also certain devices will have sector count == 0x00, check
                          // for that also.
                          if (srb->Cdb[0] == SCSIOP_READ_CAPACITY) {
       
                              AtaReq->DataBuffer -= wordCount;
                              if (AtaReq->DataBuffer[0] == 0x00) {
                                  *((ULONG *) &(AtaReq->DataBuffer[0])) = 0xFFFFFF7F;
                              }
       
                              *((ULONG *) &(AtaReq->DataBuffer[2])) = 0x00080000;
                              AtaReq->DataBuffer += wordCount;
                          }

      However wordCount turned out to be 0. I'm not sure if wordCount == 0 is in itself an unexpected scenario. However since the code wants to access the beginning of the buffer, I've replaced wordCount with AtaReq->WordsTransfered, which fixes the overrun.
      The actual values we saw were:

      AtaReq=0xB2671000, AtaReq->DataBuffer=0xF26DC000
      AtaReq->WordsLeft=0, AtaReq->WordsTransfered=4, wordCount=0
      srb=0xF274F5D0, srb->DataBuffer=0xF26DBFF8, srb->DataTransferLength=8

      Alter, could you please review uniata-fix-DataBuffer.patch for upstream inclusion? Thank you!

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alter-1 Alter
                Reporter:
                ThFabba Thomas Faber
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: