[parted-devel] memory overrun patch: libparted/arch/linux.c

Jim Meyering jim at meyering.net
Thu Mar 8 16:08:06 CET 2007


Jim Meyering <jim at meyering.net> wrote:

> Jim Meyering <jim at meyering.net> wrote:
>> Here's a patch for the second memory overrun bug:
>>
>> 	linux.c: Avoid memory overrun.  Handle 2048-byte logical sectors.
>> 	* libparted/arch/linux.c (linux_read): Allocate the right amount of
>> 	space for the (potentially 2048-byte-long) sectors we're about to read.
>
> Hmm..., I see that linux_write has the same problem:
>
>         size_t                  write_length = count * dev->sector_size;
>           ...
>                 if (posix_memalign(&diobuf, PED_SECTOR_SIZE_DEFAULT,
>                            count * PED_SECTOR_SIZE_DEFAULT) != 0)
>           ...
>           status = write (arch_specific->fd, diobuf, write_length);
>
> another patch coming up...

Actually, in linux_write it's more complicated.

For discussion, let N be count * PED_SECTOR_SIZE_DEFAULT.
First it allocates an N-byte buffer, B, with posix_memalign.
Then it copies N bytes into B with memcpy.
But then it writes write_length (4*N) bytes from B to
the destination device, thus reading 3*N bytes past the end of B
and writing all of that to the device.

Does anyone know how to exercise linux_write with 2048-byte logical
sectors?



More information about the parted-devel mailing list