Bug 457027 - ide-cd: fix oops when using growisofs [mrg-1]
Summary: ide-cd: fix oops when using growisofs [mrg-1]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-kernel
Version: 1.1
Hardware: All
OS: Linux
low
low
Target Milestone: 1.0.3
: ---
Assignee: Luis Claudio R. Goncalves
QA Contact:
URL:
Whiteboard:
Depends On: 457025
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-29 10:11 UTC by Eugene Teo (Security Response)
Modified: 2008-10-07 19:21 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-10-07 19:21:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch for MRG 2.6.24.7-79 (2.21 KB, patch)
2008-09-09 20:15 UTC, Luis Claudio R. Goncalves 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0857 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-10-07 19:18:59 UTC

Description Eugene Teo (Security Response) 2008-07-29 10:11:41 UTC 
+++ This bug was initially created as a clone of Bug #457025 +++

Description of problem:
cdrom_read_capacity() will blindly return the capacity from the device without
sanity-checking it.  This later causes code in fs/buffer.c to oops.

Fix this by checking that the device is telling us sensible things.

-- Additional comment from eteo on 2008-07-29 06:07 EST --
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e8e7b9eb11c34ee18bde8b7011af41938d1ad667

-- Additional comment from eteo on 2008-07-29 06:10 EST --
With reference to http://lkml.org/lkml/2008/6/22/90, problem was triggered by
running "genisoimage -C 16,737776 -M /dev/fd/3 -R -J foobar | builtin_dd
of=/dev/dvd obs=32k seek=46111" on a ppc64 machine.
Comment 1 Luis Claudio R. Goncalves 2008-08-05 19:00:25 UTC 
Queued for -76.
Comment 2 Eugene Teo (Security Response) 2008-08-18 01:35:01 UTC 
There's a follow-up patch that fixes a bug in commit e8e7b9eb11c34ee18bde8b7011af41938d1ad667. Please update your backported fix to include commit 938bb03d188a1e688fb0bcae49788f540193e80a. Thanks.
Comment 3 Luis Claudio R. Goncalves 2008-09-09 20:15:08 UTC 
Created attachment 316252 [details]
Patch for MRG 2.6.24.7-79

Queued for -79
Comment 5 David Sommerseth 2008-09-26 15:32:02 UTC 
Verified that the patch suggested and mentioned here is implemented in the mrg-rt.git as commit 983c4d7544545e2e28f783857e23539a964d9651 and 07878972d7cfba17c577f7a41bc357f7120836c2, available in the mrg-rt-2.6.24.7-81.

Not been able to reproduce on -74 yet.
Comment 6 David Sommerseth 2008-10-02 14:40:59 UTC 
Finally got a machine with DVD burner.  Tried the reproducer in a number of variants.  Since builtin_dd do not exists, I used dd instead - syntax seemed to be the same.

No luck triggering the bug at all, neither on 2.6.24.7-74rt nor 2.6.24.7-81rt :(
Comment 7 Eugene Teo (Security Response) 2008-10-03 02:38:30 UTC 
(In reply to comment #6)
> Finally got a machine with DVD burner.  Tried the reproducer in a number of
> variants.  Since builtin_dd do not exists, I used dd instead - syntax seemed to
> be the same.
> 
> No luck triggering the bug at all, neither on 2.6.24.7-74rt nor 2.6.24.7-81rt
> :(

Code review should be sufficient for this.
Comment 8 David Sommerseth 2008-10-03 07:13:49 UTC 
After comments, moved to verified.
Comment 10 errata-xmlrpc 2008-10-07 19:21:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0857.html
Note You need to log in before you can comment on or make changes to this bug.