Bug 112249 - Kernel crashes when invalid input in CDROM_SEND_PACKET
Kernel crashes when invalid input in CDROM_SEND_PACKET
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Dave Jones
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2003-12-16 12:54 EST by Szombathelyi György
Modified: 2015-01-04 17:04 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-29 15:51:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Test case for the bug (672 bytes, text/plain)
2003-12-16 12:56 EST, Szombathelyi György
no flags Details
Proposed patch to fix the bug (1.39 KB, patch)
2003-12-16 12:58 EST, Szombathelyi György
no flags Details | Diff

  None (edit)
Description Szombathelyi György 2003-12-16 12:54:42 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; i686; , hu_HU, hu) (KHTML, like Gecko)

Description of problem:
In the CDROM_SEND_PACKET ioctl when someone passes a cdrom_generic_command structure with an invalid buffer pointer and a data direction which requiers copying data from the buffer, the cdrom module crashes. Also there are some memory leaks in the cdrom_do_cmd function in cdrom.c

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. set up a cdrom_generic_command structure with invalid data
2. pass to the uniform cdrom driver (with CDROM_SEND_PACKET_IOCTL)
3. watch the kernel OOPS

Actual Results:  Kernel crashes

Expected Results:  Kernel should not crash, of course

Additional info:
Comment 1 Szombathelyi György 2003-12-16 12:56:00 EST
Created attachment 96559 [details]
Test case for the bug
Comment 2 Szombathelyi György 2003-12-16 12:58:58 EST
Created attachment 96560 [details]
Proposed patch to fix the bug

I posted this patch to Jens Axboe some months ago. He commited it to 2.6 test
series. After that he rewrote the whole CDROM_SEND_COMMAND ioctl.
Comment 3 Dave Jones 2003-12-16 18:55:04 EST
Thanks, I'll include this in the next kernel update.
Comment 4 David Lawrence 2004-09-29 15:51:25 EDT
Thanks for the bug report. However, Red Hat no longer maintains this version of
the product. Please upgrade to the latest version and open a new bug if the problem

The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, 
and if you believe this bug is interesting to them, please report the problem in
the bug tracker at: http://bugzilla.fedora.us/

Note You need to log in before you can comment on or make changes to this bug.