[uml-devel] reading uninit memory in do_io (ubd_kern.c)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Function do_io() in arch/um/drivers/ubd_kern.c can read uninitialized memory
when scanning the .sector_mask.  During startup the maximum .length
is 64K (and has been observed), so 128 bits are needed [512-byte sectors.]
Initialized .sector_mask has 32 bits, and initialized .cow_offset has 64,
so 32 bits must come from .bitmap_words[0]; but .bitmap_words is not
initialized by prepare_request().

If .fds[0]==.fds[1], as it is in early startup, then the net effect
of scanning the uninit .bitmap_words[0] is "merely" a randomness and
possible slowdown in I/O operations, which is better to avoid anyway.

Either call blk_queue_max_sectors() much earlier (and always) in order
to restrict all transfers to at most 32 [or 96] sectors, else apply
the attached patch to clear .bitmap_words[0].

-- 
John Reiser, jreiser@BitWagon.com