Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 469715

Summary: libata: avoid overflow in ata_tf_to_lba48() when tf->hba_lbal> 127
Product: Red Hat Enterprise Linux 5 Reporter: David Milburn <dmilburn>
Component: kernelAssignee: David Milburn <dmilburn>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: jcm, lwang, mgahagan, peterm, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 20:10:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Upstream patch to correct problem none

Description David Milburn 2008-11-03 16:58:49 UTC 
In ata_tf_to_lba48(), when evaluating

	(tf->hob_lbal & 0xff) << 24

the expression is promoted to signed int (since int can hold all values
of u8).  However, if hob_lbal is 128 or more, then it is treated as a
negative signed value and sign-extended when promoted to u64 to | into
sectors, which leads to the MSB 32 bits of section getting set
incorrectly.
 
Actual results:
May cause data corruption on large disks (1.5 TB).

Expected results:
Large disk should work correctly.
Comment 1 David Milburn 2008-11-03 17:02:05 UTC 
Created attachment 322342 [details]
Upstream patch to correct problem

commit ba14a9c291aa867896a90b3571fcc1c3759942ff
Author: Roland Dreier <rdreier>
Date:   Tue Oct 28 16:52:20 2008 -0700

    libata: Avoid overflow in ata_tf_to_lba48() when tf->hba_lbal > 127
    
    In ata_tf_to_lba48(), when evaluating
    
        (tf->hob_lbal & 0xff) << 24
    
    the expression is promoted to signed int (since int can hold all values
    of u8).  However, if hob_lbal is 128 or more, then it is treated as a
    negative signed value and sign-extended when promoted to u64 to | into
    sectors, which leads to the MSB 32 bits of section getting set
    incorrectly.
    
    For example, Phillip O'Donnell <phillip.odonnell> reported
    that a 1.5GB drive caused:
    
        ata3.00: HPA detected: current 2930277168, native 18446744072344861488
    
    where 2930277168 == 0xAEA87B30 and 18446744072344861488 == 0xffffffffaea87b3
    which shows the problem when hob_lbal is 0xae.
    
    Fix this by adding a cast to u64, just as is used by for hob_lbah and
    hob_lbam in the function.
    
    Reported-by: Phillip O'Donnell <phillip.odonnell>
    Signed-off-by: Roland Dreier <rolandd>
    Signed-off-by: Jeff Garzik <jgarzik>
Comment 3 Linda Wang 2008-11-03 17:48:51 UTC 
*** Bug 469716 has been marked as a duplicate of this bug. ***
Comment 5 Don Zickus 2008-11-12 16:37:56 UTC 
in kernel-2.6.18-123.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 7 Chuck Ebbert 2008-11-13 21:50:35 UTC 
An additional overflow has been found. Fixed by:

44901a96847b9967c057832b185e2f34ee6a14e5 
libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127
Comment 8 David Milburn 2008-11-14 12:36:10 UTC 
Opened BZ 471576 for possible overflow in ata_tf_read_block.
Comment 12 errata-xmlrpc 2009-01-20 20:10:24 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html