[Bug 238016] Possible divide by zero in function aac_cam_action (sys/dev/aac/aac_cam.c and sys/dev/aacraid/aacraid_cam.c) and aic_calc_geometry (sys/dev/aic7xxx/aic_osm_lib.c)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue May 21 08:25:36 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238016
Bug ID: 238016
Summary: Possible divide by zero in function aac_cam_action
(sys/dev/aac/aac_cam.c and
sys/dev/aacraid/aacraid_cam.c) and aic_calc_geometry
(sys/dev/aic7xxx/aic_osm_lib.c)
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: yangx92 at hotmail.com
There are three possible divide-by-zero vulnerabilities in function
aac_cam_action (sys/dev/aac/aac_cam.c and sys/dev/aacraid/aacraid_cam.c) and
aic_calc_geometry (sys/dev/aic7xxx/aic_osm_lib.c).
case XPT_CALC_GEOMETRY:
{
struct ccb_calc_geometry *ccg;
u_int32_t size_mb;
u_int32_t secs_per_cylinder;
ccg = &ccb->ccg;
size_mb = ccg->volume_size /
((1024L * 1024L) / ccg->block_size);
if (size_mb >= (2 * 1024)) { /* 2GB */
ccg->heads = 255;
ccg->secs_per_track = 63;
} else if (size_mb >= (1 * 1024)) { /* 1GB */
ccg->heads = 128;
ccg->secs_per_track = 32;
} else {
ccg->heads = 64;
ccg->secs_per_track = 32;
}
secs_per_cylinder = ccg->heads * ccg->secs_per_track;
ccg->cylinders = ccg->volume_size / secs_per_cylinder;
ccb->ccb_h.status = CAM_REQ_CMP;
xpt_done(ccb);
return;
}
(aac_cam_action in sys/dev/aac/aac_cam.c and sys/dev/aacraid/aacraid_cam.c)
void
aic_calc_geometry(struct ccb_calc_geometry *ccg, int extended)
{
#if __FreeBSD_version >= 500000
cam_calc_geometry(ccg, extended);
#else
uint32_t size_mb;
uint32_t secs_per_cylinder;
size_mb = ccg->volume_size / ((1024L * 1024L) / ccg->block_size);
if (size_mb > 1024 && extended) {
ccg->heads = 255;
ccg->secs_per_track = 63;
} else {
ccg->heads = 64;
ccg->secs_per_track = 32;
}
secs_per_cylinder = ccg->heads * ccg->secs_per_track;
ccg->cylinders = ccg->volume_size / secs_per_cylinder;
ccg->ccb_h.status = CAM_REQ_CMP;
#endif
}
(aic_calc_geometry in sys/dev/aic7xxx/aic_osm_lib.c))
There is the chance that "ccg->block_size = 0".
This issue is similar to
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=12041 which was fixed in
https://github.com/freebsd/freebsd/commit/b5184a290e8a553843618c8beb113d67df465f98.
However, we should check wheter ccg->block_size equals zero or not like
https://github.com/freebsd/freebsd/blob/master/sys/cam/cam.c#L570.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list