From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; i686; , hu_HU, hu) (KHTML, like Gecko) Description of problem: In the CDROM_SEND_PACKET ioctl when someone passes a cdrom_generic_command structure with an invalid buffer pointer and a data direction which requiers copying data from the buffer, the cdrom module crashes. Also there are some memory leaks in the cdrom_do_cmd function in cdrom.c Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. set up a cdrom_generic_command structure with invalid data 2. pass to the uniform cdrom driver (with CDROM_SEND_PACKET_IOCTL) 3. watch the kernel OOPS Actual Results: Kernel crashes Expected Results: Kernel should not crash, of course Additional info:
Created attachment 96559 [details] Test case for the bug
Created attachment 96560 [details] Proposed patch to fix the bug I posted this patch to Jens Axboe some months ago. He commited it to 2.6 test series. After that he rewrote the whole CDROM_SEND_COMMAND ioctl.
Thanks, I'll include this in the next kernel update.
Thanks for the bug report. However, Red Hat no longer maintains this version of the product. Please upgrade to the latest version and open a new bug if the problem persists. The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, and if you believe this bug is interesting to them, please report the problem in the bug tracker at: http://bugzilla.fedora.us/