From c2cdb861c9863a799ce3c6c35267bb4a762bd91c Mon Sep 17 00:00:00 2001
From: apio <blobs.trading@gmail.com>
Date: Sat, 17 Jun 2023 00:48:53 +0200
Subject: [PATCH] kernel/ATA: Fix buffer overflow in ATADevice::read() with
 small sizes and unaligned offsets

---
 kernel/src/arch/x86_64/disk/ATA.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/src/arch/x86_64/disk/ATA.cpp b/kernel/src/arch/x86_64/disk/ATA.cpp
index 6bb63220..5d61c7a6 100644
--- a/kernel/src/arch/x86_64/disk/ATA.cpp
+++ b/kernel/src/arch/x86_64/disk/ATA.cpp
@@ -750,12 +750,17 @@ Result<u64> ATADevice::read(u8* buf, usize offset, usize size) const
 
     ScopedKMutexLock<100>(m_drive->channel()->lock());
 
+    // FIXME: Don't always allocate this if we don't need it.
     auto* temp = TRY(make_array<u8>(block_size));
     auto guard = make_scope_guard([temp] { delete[] temp; });
 
     if (offset % block_size)
     {
+        // The size we need to read to round up to a block.
         usize extra_size = block_size - (offset % block_size);
+        // Maybe we don't even want enough to get to the next block?
+        if (extra_size > size) extra_size = size;
+
         TRY(m_drive->read_lba(offset / block_size, temp, 1));
         memcpy(buf, temp + (offset % block_size), extra_size);
         offset += extra_size;