From patchwork Wed Jun  9 12:01:54 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <error27@gmail.com>
X-Patchwork-Id: 55082
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <linux-ide-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 569201007D2
	for <incoming@patchwork.ozlabs.org>;
	Wed,  9 Jun 2010 22:02:47 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757059Ab0FIMCR (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 9 Jun 2010 08:02:17 -0400
Received: from mail-fx0-f46.google.com ([209.85.161.46]:61376 "EHLO
	mail-fx0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754848Ab0FIMCQ (ORCPT
	<rfc822;linux-ide@vger.kernel.org>); Wed, 9 Jun 2010 08:02:16 -0400
Received: by fxm8 with SMTP id 8so3521022fxm.19
	for <multiple recipients>; Wed, 09 Jun 2010 05:02:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:to:cc:subject
	:message-id:mail-followup-to:mime-version:content-type
	:content-disposition:user-agent;
	bh=bTW7uNWkKF/ymLhCvycDgmX5Ft8DOe7QZZ2PMum4/kQ=;
	b=wQIlhd4/sxxeTlqtFUokbXsM4qz4pvDF32mCGdo/i2bHdncEhdq32tg9YA0piJPqtz
	lCPc1UCiN2tqV+j/DyDQz6d7P9wAyner7y0pfjaUgdTbWAzYFYMlp1pUDpTi/7hDEoGA
	Q2suqPSofW9HDPBnxnKUdF8zV54K6kUxDwFUw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:mail-followup-to:mime-version
	:content-type:content-disposition:user-agent;
	b=pRRXF0xtdCfRoSsvL1iYoD989Wt4Tcrt/xPMTdOyi6lOPA+/Jgg6I2PL3ozWe0PyrS
	PRB90UzgdEN6lsTLNSww46FJqhxKCrxsCmA1s1+miNNKsCS2EPrGXuEIgIhpq17oPb/q
	L2Y0UcitZjzIoEpnHR/cN8KrDmO3ZUs799+Os=
Received: by 10.87.70.19 with SMTP id x19mr288388fgk.14.1276084934243;
	Wed, 09 Jun 2010 05:02:14 -0700 (PDT)
Received: from bicker ([205.177.176.130])
	by mx.google.com with ESMTPS id 3sm13469870fge.5.2010.06.09.05.02.06
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Wed, 09 Jun 2010 05:02:13 -0700 (PDT)
Date: Wed, 9 Jun 2010 14:01:54 +0200
From: Dan Carpenter <error27@gmail.com>
To: Jeff Garzik <jgarzik@pobox.com>
Cc: Tejun Heo <tj@kernel.org>, Robert Hancock <hancockrwd@gmail.com>,
	Vivek Mahajan <vivek.mahajan@freescale.com>,
	linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] sata_sil24: memset() overflow
Message-ID: <20100609120153.GF5483@bicker>
Mail-Followup-To: Dan Carpenter <error27@gmail.com>,
	Jeff Garzik <jgarzik@pobox.com>, Tejun Heo <tj@kernel.org>,
	Robert Hancock <hancockrwd@gmail.com>,
	Vivek Mahajan <vivek.mahajan@freescale.com>,
	linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: linux-ide-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-ide.vger.kernel.org>
X-Mailing-List: linux-ide@vger.kernel.org

cb->atapi.cdb is an array of 16 u8 elements.  The call too memset() 
would set the first part of the sge array to zero as well.  It's not
a packed struct. 

This one has been around for five years.  I found it with Smatch.  I
think the reason no one has seen it before is because we normally call
sil24_fill_sg() and that overwrites sge with proper information?

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
---
I don't have this hardware myself so I can't test it.  Sorry. :(

--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c
index e925051..9e459eb 100644
--- a/drivers/ata/sata_sil24.c
+++ b/drivers/ata/sata_sil24.c
@@ -865,7 +865,7 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc)
 	} else {
 		prb = &cb->atapi.prb;
 		sge = cb->atapi.sge;
-		memset(cb->atapi.cdb, 0, 32);
+		memset(cb->atapi.cdb, 0, sizeof(cb->atapi.cdb));
 		memcpy(cb->atapi.cdb, qc->cdb, qc->dev->cdb_len);
 
 		if (ata_is_data(qc->tf.protocol)) {