Bug 469715 - libata: avoid overflow in ata_tf_to_lba48() when tf->hba_lbal> 127
Summary: libata: avoid overflow in ata_tf_to_lba48() when tf->hba_lbal> 127
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: David Milburn
QA Contact: Martin Jenner
URL:
Whiteboard:
: 469716 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-03 16:58 UTC by David Milburn
Modified: 2009-01-20 20:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-20 20:10:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Upstream patch to correct problem (620 bytes, patch)
2008-11-03 17:02 UTC, David Milburn 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0225 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.3 kernel security and bug fix update 2009-01-20 16:06:24 UTC

Description David Milburn 2008-11-03 16:58:49 UTC 
In ata_tf_to_lba48(), when evaluating

	(tf->hob_lbal & 0xff) << 24

the expression is promoted to signed int (since int can hold all values
of u8).  However, if hob_lbal is 128 or more, then it is treated as a
negative signed value and sign-extended when promoted to u64 to | into
sectors, which leads to the MSB 32 bits of section getting set
incorrectly.
 
Actual results:
May cause data corruption on large disks (1.5 TB).

Expected results:
Large disk should work correctly.
Comment 1 David Milburn 2008-11-03 17:02:05 UTC 
Created attachment 322342 [details]
Upstream patch to correct problem

commit ba14a9c291aa867896a90b3571fcc1c3759942ff
Author: Roland Dreier <rdreier>
Date:   Tue Oct 28 16:52:20 2008 -0700

    libata: Avoid overflow in ata_tf_to_lba48() when tf->hba_lbal > 127
    
    In ata_tf_to_lba48(), when evaluating
    
        (tf->hob_lbal & 0xff) << 24
    
    the expression is promoted to signed int (since int can hold all values
    of u8).  However, if hob_lbal is 128 or more, then it is treated as a
    negative signed value and sign-extended when promoted to u64 to | into
    sectors, which leads to the MSB 32 bits of section getting set
    incorrectly.
    
    For example, Phillip O'Donnell <phillip.odonnell> reported
    that a 1.5GB drive caused:
    
        ata3.00: HPA detected: current 2930277168, native 18446744072344861488
    
    where 2930277168 == 0xAEA87B30 and 18446744072344861488 == 0xffffffffaea87b3
    which shows the problem when hob_lbal is 0xae.
    
    Fix this by adding a cast to u64, just as is used by for hob_lbah and
    hob_lbam in the function.
    
    Reported-by: Phillip O'Donnell <phillip.odonnell>
    Signed-off-by: Roland Dreier <rolandd>
    Signed-off-by: Jeff Garzik <jgarzik>
Comment 3 Linda Wang 2008-11-03 17:48:51 UTC 
*** Bug 469716 has been marked as a duplicate of this bug. ***
Comment 5 Don Zickus 2008-11-12 16:37:56 UTC 
in kernel-2.6.18-123.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 7 Chuck Ebbert 2008-11-13 21:50:35 UTC 
An additional overflow has been found. Fixed by:

44901a96847b9967c057832b185e2f34ee6a14e5 
libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127
Comment 8 David Milburn 2008-11-14 12:36:10 UTC 
Opened BZ 471576 for possible overflow in ata_tf_read_block.
Comment 12 errata-xmlrpc 2009-01-20 20:10:24 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html
Note You need to log in before you can comment on or make changes to this bug.