From: David Jeffery <djeffery@redhat.com>
Date: Mon, 28 Sep 2009 15:43:04 -0400
Subject: [scsi] st.c: memory use after free after MTSETBLK ioctl
Message-id: 1931932430.588751254166984157.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com
O-Subject: [PATCH RHEL5.5] BZ 520192: st.c, possible memory use after free after MTSETBLK ioctl
Bugzilla: 520192
RH-Acked-by: Jay Fenlason <fenlason@redhat.com>
RH-Acked-by: Prarit Bhargava <prarit@redhat.com>
RH-Acked-by: David Milburn <dmilburn@redhat.com>
RH-Acked-by: David Howells <dhowells@redhat.com>

Resolves BZ 520192.

A memory use after free bug can manifest if the MTSETBLK or SET_DENS_AND_BLK
ioctl features are used to set a scsi tape's blocksize from 0 to non-zero.
After the driver sets the new block size, in this one case it calls
normalize_buffer() to free the device's internal data buffers.  However, the
ioctl code assumes there is always a buffer and does not check or allocate
a buffer if there isn't one.  So any following ioctl calls can corrupt
a part of memory by writing data to memory that the st driver had freed.

This patch has been submitted upstream and fixes the problem by removing
this call to normalize_buffer().  The call to normalize_buffer() doesn't
serve a real purpose any more.  There is no need to drop all buffer memory
for this one case of a block size change.

diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
index 08c2ee0..f50405f 100644
--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -2791,11 +2791,8 @@ static int st_int_ioctl(struct scsi_tape *STp, unsigned int cmd_in, unsigned lon
 			ioctl_result = st_int_ioctl(STp, MTBSF, 1);
 
 		if (cmd_in == MTSETBLK || cmd_in == SET_DENS_AND_BLK) {
-			int old_block_size = STp->block_size;
 			STp->block_size = arg & MT_ST_BLKSIZE_MASK;
 			if (STp->block_size != 0) {
-				if (old_block_size == 0)
-					normalize_buffer(STp->buffer);
 				(STp->buffer)->buffer_blocks =
 				    (STp->buffer)->buffer_size / STp->block_size;
 			}