kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes
memory corruption and panic
Scott Long
scott4long at yahoo.com
Fri Apr 20 13:40:09 UTC 2012
The following reply was made to PR kern/155658; it has been noted by GNATS.
From: Scott Long <scott4long at yahoo.com>
To: John Baldwin <jhb at freebsd.org>
Cc: Andreas Longwitz <longwitz at incore.de>,
"bug-followup at freebsd.org" <bug-followup at freebsd.org>,
"scottl at freebsd.org" <scottl at freebsd.org>
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic
Date: Fri, 20 Apr 2012 07:30:14 -0600
Worst firmware ever. Seriously. If this was open bad, the driver would be r=
emoved and the hardware blacklisted as a security threat.
Scott
On Apr 20, 2012, at 6:13 AM, John Baldwin <jhb at freebsd.org> wrote:
> On Thursday, April 19, 2012 4:12:50 pm Andreas Longwitz wrote:
>> John,
>> I did several tests with your patch in 8.2 and everything works fine, if
>> I use the binary version of megarc with the patch included described in
>> ports/137938.
>>=20
>> The original megarc sends amr_ioctl's with length 12868 (e.g. the first
>> ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the
>> controller with real_length=3D16384, but the controller returns 25412
>> Bytes. This happens all the time on nearly every megarc command, I think
>> this is a program error in megarc, he uses user_cmd=3D0xa104 with buffer
>> length 12868, but the firmware of the controller replies with 25412
>> bytes. So we have memory corruption of 25412 - 16384 =3D 9026 bytes. The
>> patch in ports/137938 changes the lenght field in megarc from 12868 to
>> 25412 to avoid this problem. A line like
>> if( len =3D=3D 12868 ) len =3D 25412;
>> would solve this problem in the driver. I did not find any other static
>> problems of this type.
>>=20
>> Another story are dynamic problems. When the controller is very busy, I
>> see sometimes 1KB bytes returned from the controller, when lenght is
>> much lower. This problem is handled by your patch in all cases.
>>=20
>> Andreas Longwitz
>=20
> Ah, ok. I think we should just make the minimum buffer size 32k which
> should workaround this. I've updated the patch at the same URL:
>=20
> http://www.freebsd.org/~jhb/patches/amr_buffer_len.patch
>=20
> --=20
> John Baldwin
More information about the freebsd-bugs
mailing list