kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic

Scott Long scott4long at
Fri Apr 20 13:40:11 UTC 2012

The following reply was made to PR kern/155658; it has been noted by GNATS.

From: Scott Long <scott4long at>
To: Scott Long <scott4long at>
Cc: John Baldwin <jhb at>, Andreas Longwitz <longwitz at>,
  "bug-followup at" <bug-followup at>,
  "scottl at" <scottl at>
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic
Date: Fri, 20 Apr 2012 07:35:26 -0600

 "openbsd".  <i>When computers attack!<i>
 On Apr 20, 2012, at 7:30 AM, Scott Long <scott4long at> wrote:
 > Worst firmware ever.  Seriously.  If this was open bad, the driver would b=
 e removed and the hardware blacklisted as a security threat.
 > Scott
 > On Apr 20, 2012, at 6:13 AM, John Baldwin <jhb at> wrote:
 >> On Thursday, April 19, 2012 4:12:50 pm Andreas Longwitz wrote:
 >>> John,
 >>> I did several tests with your patch in 8.2 and everything works fine, if=
 >>> I use the binary version of megarc with the patch included described in
 >>> ports/137938.
 >>> The original megarc sends amr_ioctl's with length 12868 (e.g. the first
 >>> ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the
 >>> controller with real_length=3D16384, but the controller returns 25412
 >>> Bytes. This happens all the time on nearly every megarc command, I think=
 >>> this is a program error in megarc, he uses user_cmd=3D0xa104 with buffer=
 >>> length 12868, but the firmware of the controller replies with 25412
 >>> bytes. So we have memory corruption of 25412 - 16384 =3D 9026 bytes. The=
 >>> patch in ports/137938 changes the lenght field in megarc from 12868 to
 >>> 25412 to avoid this problem. A line like
 >>>      if( len =3D=3D 12868 ) len =3D 25412;
 >>> would solve this problem in the driver. I did not find any other static
 >>> problems of this type.
 >>> Another story are dynamic problems. When the controller is very busy, I
 >>> see sometimes 1KB bytes returned from the controller, when lenght is
 >>> much lower. This problem is handled by your patch in all cases.
 >>> Andreas Longwitz
 >> Ah, ok.  I think we should just make the minimum buffer size 32k which
 >> should workaround this.  I've updated the patch at the same URL:
 >> --=20
 >> John Baldwin

More information about the freebsd-bugs mailing list