Details
-
Bug
-
Resolution: Fixed
-
Critical
-
None
Description
In CORE-11286 we saw memory corruption caused by an out of bounds access of the SRB's data buffer.
The code in question does the following:
// Work around to make many atapi devices return correct sector size |
// of 2048. Also certain devices will have sector count == 0x00, check |
// for that also. |
if (srb->Cdb[0] == SCSIOP_READ_CAPACITY) { |
|
|
AtaReq->DataBuffer -= wordCount;
|
if (AtaReq->DataBuffer[0] == 0x00) { |
*((ULONG *) &(AtaReq->DataBuffer[0])) = 0xFFFFFF7F; |
}
|
|
|
*((ULONG *) &(AtaReq->DataBuffer[2])) = 0x00080000; |
AtaReq->DataBuffer += wordCount;
|
}
|
However wordCount turned out to be 0. I'm not sure if wordCount == 0 is in itself an unexpected scenario. However since the code wants to access the beginning of the buffer, I've replaced wordCount with AtaReq->WordsTransfered, which fixes the overrun.
The actual values we saw were:
AtaReq=0xB2671000, AtaReq->DataBuffer=0xF26DC000
|
AtaReq->WordsLeft=0, AtaReq->WordsTransfered=4, wordCount=0
|
srb=0xF274F5D0, srb->DataBuffer=0xF26DBFF8, srb->DataTransferLength=8
|
alter-1, could you please review uniata-fix-DataBuffer.patch
for upstream inclusion? Thank you!
Attachments
Issue Links
- relates to
-
-
- Resolved
-
-
-
- Resolved
-