Bug 469715 - libata: avoid overflow in ata_tf_to_lba48() when tf->hba_lbal> 127
libata: avoid overflow in ata_tf_to_lba48() when tf->hba_lbal> 127
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: David Milburn
Martin Jenner
:
: 469716 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-03 11:58 EST by David Milburn
Modified: 2009-01-20 15:10 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 15:10:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch to correct problem (620 bytes, patch)
2008-11-03 12:02 EST, David Milburn
no flags Details | Diff

  None (edit)
Description David Milburn 2008-11-03 11:58:49 EST
In ata_tf_to_lba48(), when evaluating

	(tf->hob_lbal & 0xff) << 24

the expression is promoted to signed int (since int can hold all values
of u8).  However, if hob_lbal is 128 or more, then it is treated as a
negative signed value and sign-extended when promoted to u64 to | into
sectors, which leads to the MSB 32 bits of section getting set
incorrectly.
 
Actual results:
May cause data corruption on large disks (1.5 TB).

Expected results:
Large disk should work correctly.
Comment 1 David Milburn 2008-11-03 12:02:05 EST
Created attachment 322342 [details]
Upstream patch to correct problem

commit ba14a9c291aa867896a90b3571fcc1c3759942ff
Author: Roland Dreier <rdreier@cisco.com>
Date:   Tue Oct 28 16:52:20 2008 -0700

    libata: Avoid overflow in ata_tf_to_lba48() when tf->hba_lbal > 127
    
    In ata_tf_to_lba48(), when evaluating
    
        (tf->hob_lbal & 0xff) << 24
    
    the expression is promoted to signed int (since int can hold all values
    of u8).  However, if hob_lbal is 128 or more, then it is treated as a
    negative signed value and sign-extended when promoted to u64 to | into
    sectors, which leads to the MSB 32 bits of section getting set
    incorrectly.
    
    For example, Phillip O'Donnell <phillip.odonnell@gmail.com> reported
    that a 1.5GB drive caused:
    
        ata3.00: HPA detected: current 2930277168, native 18446744072344861488
    
    where 2930277168 == 0xAEA87B30 and 18446744072344861488 == 0xffffffffaea87b3
    which shows the problem when hob_lbal is 0xae.
    
    Fix this by adding a cast to u64, just as is used by for hob_lbah and
    hob_lbam in the function.
    
    Reported-by: Phillip O'Donnell <phillip.odonnell@gmail.com>
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Comment 3 Linda Wang 2008-11-03 12:48:51 EST
*** Bug 469716 has been marked as a duplicate of this bug. ***
Comment 5 Don Zickus 2008-11-12 11:37:56 EST
in kernel-2.6.18-123.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 7 Chuck Ebbert 2008-11-13 16:50:35 EST
An additional overflow has been found. Fixed by:

44901a96847b9967c057832b185e2f34ee6a14e5 
libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127
Comment 8 David Milburn 2008-11-14 07:36:10 EST
Opened BZ 471576 for possible overflow in ata_tf_read_block.
Comment 12 errata-xmlrpc 2009-01-20 15:10:24 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html

Note You need to log in before you can comment on or make changes to this bug.