FreeBSD Bugzilla – Attachment 169475 Details for
Bug 206573
Improper userland pointer handling in aacraid
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
unified patch for aac and aacraid
sanitize_userland_pointers_aac_aacraid.diff (text/plain), 2.40 KB, created by
Sean Bruno
on 2016-04-19 17:30:11 UTC
(
hide
)
Description:
unified patch for aac and aacraid
Filename:
MIME Type:
Creator:
Sean Bruno
Created:
2016-04-19 17:30:11 UTC
Size:
2.40 KB
patch
obsolete
>Index: sys/dev/aac/aac.c >=================================================================== >--- sys/dev/aac/aac.c (revision 298278) >+++ sys/dev/aac/aac.c (working copy) >@@ -3103,18 +3103,30 @@ > /* Retrieve correct SG entries. */ > if (fibsize == (sizeof(struct aac_srb) + > srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry))) { >+ struct aac_sg_entry sg; >+ > sge = srbcmd->sg_map.SgEntry; > sge64 = NULL; >- srb_sg_bytecount = sge->SgByteCount; >- srb_sg_address = (void *)(uintptr_t)sge->SgAddress; >+ >+ if ((error = copyin(sge, &sg, sizeof(sg))) != 0) >+ goto out; >+ >+ srb_sg_bytecount = sg.SgByteCount; >+ srb_sg_address = (void *)(uintptr_t)sg.SgAddress; > } > #ifdef __amd64__ > else if (fibsize == (sizeof(struct aac_srb) + > srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry64))) { >+ struct aac_sg_entry64 sg; >+ > sge = NULL; > sge64 = (struct aac_sg_entry64 *)srbcmd->sg_map.SgEntry; >- srb_sg_bytecount = sge64->SgByteCount; >- srb_sg_address = (void *)sge64->SgAddress; >+ >+ if ((error = copyin(sge64, &sg, sizeof(sg))) != 0) >+ goto out; >+ >+ srb_sg_bytecount = sg.SgByteCount; >+ srb_sg_address = (void *)sg.SgAddress; > if (sge64->SgAddress > 0xffffffffull && > (sc->flags & AAC_FLAGS_SG_64BIT) == 0) { > error = EINVAL; >Index: sys/dev/aacraid/aacraid.c >=================================================================== >--- sys/dev/aacraid/aacraid.c (revision 298278) >+++ sys/dev/aacraid/aacraid.c (working copy) >@@ -2873,15 +2873,25 @@ > if (fibsize == (sizeof(struct aac_srb) + > srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry))) { > struct aac_sg_entry *sgp = srbcmd->sg_map.SgEntry; >- srb_sg_bytecount = sgp->SgByteCount; >- srb_sg_address = (u_int64_t)sgp->SgAddress; >+ struct aac_sg_entry sg; >+ >+ if ((error = copyin(sgp, &sg, sizeof(sg))) != 0) >+ goto out; >+ >+ srb_sg_bytecount = sg.SgByteCount; >+ srb_sg_address = (u_int64_t)sg.SgAddress; > } else if (fibsize == (sizeof(struct aac_srb) + > srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry64))) { > #ifdef __LP64__ > struct aac_sg_entry64 *sgp = > (struct aac_sg_entry64 *)srbcmd->sg_map.SgEntry; >- srb_sg_bytecount = sgp->SgByteCount; >- srb_sg_address = sgp->SgAddress; >+ struct aac_sg_entry64 sg; >+ >+ if ((error = copyin(sgp, &sg, sizeof(sg))) != 0) >+ goto out; >+ >+ srb_sg_bytecount = sg.SgByteCount; >+ srb_sg_address = sg.SgAddress; > if (srb_sg_address > 0xffffffffull && > !(sc->flags & AAC_FLAGS_SG_64BIT)) > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=169475">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 206573
: 169475