kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic

John Baldwin jhb at
Thu Apr 19 20:50:11 UTC 2012

The following reply was made to PR kern/155658; it has been noted by GNATS.

From: John Baldwin <jhb at>
To: Andreas Longwitz <longwitz at>
Cc: bug-followup at,
 scottl at
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic
Date: Thu, 19 Apr 2012 16:49:45 -0400

 On Thursday, April 19, 2012 4:12:50 pm Andreas Longwitz wrote:
 > John,
 > I did several tests with your patch in 8.2 and everything works fine, if
 > I use the binary version of megarc with the patch included described in
 > ports/137938.
 > The original megarc sends amr_ioctl's with length 12868 (e.g. the first
 > ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the
 > controller with real_length=16384, but the controller returns 25412
 > Bytes. This happens all the time on nearly every megarc command, I think
 > this is a program error in megarc, he uses user_cmd=0xa104 with buffer
 > length 12868, but the firmware of the controller replies with 25412
 > bytes. So we have memory corruption of 25412 - 16384 = 9026 bytes. The
 > patch in ports/137938 changes the lenght field in megarc from 12868 to
 > 25412 to avoid this problem. A line like
 >        if( len == 12868 ) len = 25412;
 > would solve this problem in the driver. I did not find any other static
 > problems of this type.
 > Another story are dynamic problems. When the controller is very busy, I
 > see sometimes 1KB bytes returned from the controller, when lenght is
 > much lower. This problem is handled by your patch in all cases.
 Hmm, given the above, I'm tempted to just force the buffer to always be at
 least 32k.  Scott, what do you think about that?
 John Baldwin

More information about the freebsd-bugs mailing list