[Bug 206573] Improper userland pointer handling in aacraid
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Feb 2 18:20:51 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206573
landaire <landergriffith+freebsdbugzilla at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |landergriffith+freebsdbugzi
| |lla at gmail.com
--- Comment #2 from landaire <landergriffith+freebsdbugzilla at gmail.com> ---
This bug is also present in the `aac` (not aacraid) code in the same function:
here:
/* Retrieve correct SG entries. */
if (fibsize == (sizeof(struct aac_srb) +
srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry))) {
sge = srbcmd->sg_map.SgEntry;
sge64 = NULL;
srb_sg_bytecount = sge->SgByteCount;
srb_sg_address = (void *)(uintptr_t)sge->SgAddress;
}
and here:
https://github.com/freebsd/freebsd/blob/bac8688b17d735d252ec75a94df67384938f3f9b/sys/dev/aac/aac.c#L3114-L3122
#ifdef __amd64__
else if (fibsize == (sizeof(struct aac_srb) +
srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry64))) {
sge = NULL;
sge64 = (struct aac_sg_entry64 *)srbcmd->sg_map.SgEntry;
srb_sg_bytecount = sge64->SgByteCount;
...
}
#endif
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list