From 2c2ed8bfd899b84ecbf71d28fcc2cc4ace36c8d9 Mon Sep 17 00:00:00 2001 From: David Jeffery Date: Mon, 28 Sep 2009 13:54:24 -0400 Subject: [SCSI] st: fix possible memory use after free after MTSETBLK ioctl A memory use after free bug can manifest if the MTSETBLK or SET_DENS_AND_BLK ioctl features are used to set the tape's blocksize from 0 to non-zero. After the driver sets the new block size, in this one case it calls normalize_buffer() to free the device's internal data buffers. However, the ioctl code assumes there is always a buffer and does not check or allocate a buffer if there isn't one. So any following ioctl calls can corrupt a part of memory by writing data to memory that the st driver had freed. This patch removes the normalize_buffer() call and the specialness of changing from a 0 to non-zero blocksize to fix the possible use of memory after it has been freed by the st driver. signed-off-by: David Jeffery Acked-by: Kai Makisara Signed-off-by: James Bottomley --- drivers/scsi/st.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'drivers/scsi') diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c index b33d04250bbc..12d58a7ed6bc 100644 --- a/drivers/scsi/st.c +++ b/drivers/scsi/st.c @@ -2859,11 +2859,8 @@ static int st_int_ioctl(struct scsi_tape *STp, unsigned int cmd_in, unsigned lon ioctl_result = st_int_ioctl(STp, MTBSF, 1); if (cmd_in == MTSETBLK || cmd_in == SET_DENS_AND_BLK) { - int old_block_size = STp->block_size; STp->block_size = arg & MT_ST_BLKSIZE_MASK; if (STp->block_size != 0) { - if (old_block_size == 0) - normalize_buffer(STp->buffer); (STp->buffer)->buffer_blocks = (STp->buffer)->buffer_size / STp->block_size; } -- cgit v1.2.2