kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes
memory corruption and panic
scottl at samsco.org
Tue Apr 17 20:10:05 UTC 2012
The following reply was made to PR kern/155658; it has been noted by GNATS.
From: Scott Long <scottl at samsco.org>
To: bug-followup at FreeBSD.org, longwitz at incore.de
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic
Date: Tue, 17 Apr 2012 14:01:21 -0600
Is the problem that the buffer in allocated to be too big, or too small?
The bug report talks about a 36 byte buffer being requested from megarc, =
but the firmware returning 1k instead. If this is the bug that I'm =
thinking, then it was fixed in the linux ioctl path a few years ago. I =
had hoped that megarc would never be compiled and run natively on =
FreeBSD, so I didn't fix it in the native path.
The fix is to always allocate a minimum of 4k and attach it to the =
command sent to the card, but only copy back to user land the length =
that the ioctl requests. This is what linux does. It's a bug in the =
megaraid firmware, and it's a bug in megarc, and I had hoped that LSI =
would be better than this. Note that the linux ioctl path in the driver =
that I mentioned only does this as a special case when the length is 0. =
It sounds like it needs to be done for all cases of min(au_lenth, 4096).
I'm not sure why there's a discussion on max length; if I'm not =
understanding the problem, please let me know.
More information about the freebsd-bugs