[Bug 238014] Potential NULL pointer dereference in function ata_dev_advinfo and nvme_dev_advinfo

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue May 21 07:42:34 UTC 2019


            Bug ID: 238014
           Summary: Potential NULL pointer dereference in function
                    ata_dev_advinfo and nvme_dev_advinfo
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

Created attachment 204502
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204502&action=edit
Proposed patch

There are two NULL pointer vulnerabilities in functions named ata_dev_advinfo
(sys/cam/ata/ata_xpt.c) and nvme_dev_advinfo (sys/cam/nvme/nvme_xpt.c).

We take function ata_dev_advinfo for example.

                if (cdai->flags & CDAI_FLAG_STORE) {
                        if (device->physpath != NULL)
                                free(device->physpath, M_CAMXPT);
                        device->physpath_len = cdai->bufsiz;
                        /* Clear existing buffer if zero length */
                        if (cdai->bufsiz == 0)
                        device->physpath = malloc(cdai->bufsiz, M_CAMXPT,
                        if (device->physpath == NULL) {
                                start_ccb->ccb_h.status = CAM_REQ_ABORTED;
                        memcpy(device->physpath, cdai->buf, cdai->bufsiz);

if the physical path is being stored and there is a malloc failure (malloc(9)
is called with M_NOWAIT), we could wind up in a situation where the device's
physpath_len is set to the length the user provided, but the physpath itself is

If another context then comes in to fetch the physical path value, we would
wind up trying to memcpy a NULL pointer into the caller's buffer.

So, set the physpath_len to 0 when we free the physpath on entry into the store
case for the physical path.  Reset the length to a non-zero value only after
we've successfully malloced a buffer to hold it.

The attachment is the proposed patch.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list