apio/Luna
1
1
Fork 0
Code Issues Pull Requests Actions Projects Releases 8 Wiki Activity

kernel/ATA: Fix buffer overflow in ATADevice::read() with small sizes and unaligned offsets

Browse Source
This commit is contained in:
apio 2023-06-17 00:48:53 +02:00
parent 27b26f389c
commit c2cdb861c9
Signed by: apio
GPG Key ID: B8A7D06E42258954
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
kernel/src/arch/x86_64/disk/ATA.cpp
View File

@ -750,12 +750,17 @@ Result<u64> ATADevice::read(u8* buf, usize offset, usize size) const
ScopedKMutexLock<100>(m_drive->channel()->lock()); ScopedKMutexLock<100>(m_drive->channel()->lock());
// FIXME: Don't always allocate this if we don't need it.
auto* temp = TRY(make_array<u8>(block_size)); auto* temp = TRY(make_array<u8>(block_size));
auto guard = make_scope_guard([temp] { delete[] temp; }); auto guard = make_scope_guard([temp] { delete[] temp; });
if (offset % block_size) if (offset % block_size)
{ {
// The size we need to read to round up to a block.
usize extra_size = block_size - (offset % block_size); usize extra_size = block_size - (offset % block_size);
// Maybe we don't even want enough to get to the next block?
if (extra_size > size) extra_size = size;
TRY(m_drive->read_lba(offset / block_size, temp, 1)); TRY(m_drive->read_lba(offset / block_size, temp, 1));
memcpy(buf, temp + (offset % block_size), extra_size); memcpy(buf, temp + (offset % block_size), extra_size);
offset += extra_size; offset += extra_size;