kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic

Scott Long scott4long at
Fri Apr 20 13:40:09 UTC 2012

The following reply was made to PR kern/155658; it has been noted by GNATS.

From: Scott Long <scott4long at>
To: John Baldwin <jhb at>
Cc: Andreas Longwitz <longwitz at>,
  "bug-followup at" <bug-followup at>,
  "scottl at" <scottl at>
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic
Date: Fri, 20 Apr 2012 07:30:14 -0600

 Worst firmware ever.  Seriously.  If this was open bad, the driver would be r=
 emoved and the hardware blacklisted as a security threat.
 On Apr 20, 2012, at 6:13 AM, John Baldwin <jhb at> wrote:
 > On Thursday, April 19, 2012 4:12:50 pm Andreas Longwitz wrote:
 >> John,
 >> I did several tests with your patch in 8.2 and everything works fine, if
 >> I use the binary version of megarc with the patch included described in
 >> ports/137938.
 >> The original megarc sends amr_ioctl's with length 12868 (e.g. the first
 >> ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the
 >> controller with real_length=3D16384, but the controller returns 25412
 >> Bytes. This happens all the time on nearly every megarc command, I think
 >> this is a program error in megarc, he uses user_cmd=3D0xa104 with buffer
 >> length 12868, but the firmware of the controller replies with 25412
 >> bytes. So we have memory corruption of 25412 - 16384 =3D 9026 bytes. The
 >> patch in ports/137938 changes the lenght field in megarc from 12868 to
 >> 25412 to avoid this problem. A line like
 >>       if( len =3D=3D 12868 ) len =3D 25412;
 >> would solve this problem in the driver. I did not find any other static
 >> problems of this type.
 >> Another story are dynamic problems. When the controller is very busy, I
 >> see sometimes 1KB bytes returned from the controller, when lenght is
 >> much lower. This problem is handled by your patch in all cases.
 >> Andreas Longwitz
 > Ah, ok.  I think we should just make the minimum buffer size 32k which
 > should workaround this.  I've updated the patch at the same URL:
 > --=20
 > John Baldwin

More information about the freebsd-bugs mailing list