Commit 2c2ed8bf authored Sep 28, 2009 by David Jeffery Committed by James Bottomley Oct 02, 2009

[SCSI] st: fix possible memory use after free after MTSETBLK ioctl

A memory use after free bug can manifest if the MTSETBLK or SET_DENS_AND_BLK
ioctl features are used to set the tape's blocksize from 0 to non-zero.
After the driver sets the new block size, in this one case it calls
normalize_buffer() to free the device's internal data buffers. However, the
ioctl code assumes there is always a buffer and does not check or allocate
a buffer if there isn't one. So any following ioctl calls can corrupt
a part of memory by writing data to memory that the st driver had freed.

This patch removes the normalize_buffer() call and the specialness of
changing from a 0 to non-zero blocksize to fix the possible use of
memory after it has been freed by the st driver.

signed-off-by: David Jeffery <djeffery@redhat.com>
Acked-by: Kai Makisara <kai.makisara@kolumbus.fi>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

parent 2afc95bf

drivers/scsi/st.c

+0 −3

Original line number	Diff line number	Diff line
		@@ -2859,11 +2859,8 @@ static int st_int_ioctl(struct scsi_tape *STp, unsigned int cmd_in, unsigned lon
		ioctl_result = st_int_ioctl(STp, MTBSF, 1);

		if (cmd_in == MTSETBLK \|\| cmd_in == SET_DENS_AND_BLK) {
		int old_block_size = STp->block_size;
		STp->block_size = arg & MT_ST_BLKSIZE_MASK;
		if (STp->block_size != 0) {
		if (old_block_size == 0)
		normalize_buffer(STp->buffer);
		(STp->buffer)->buffer_blocks =
		(STp->buffer)->buffer_size / STp->block_size;
		}

Admin message