Date: Thu, 19 Apr 2012 20:20:12 GMT From: Andreas Longwitz <longwitz@incore.de> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic Message-ID: <201204192020.q3JKKCIv002312@freefall.freebsd.org>
index | next in thread | raw e-mail
The following reply was made to PR kern/155658; it has been noted by GNATS.
From: Andreas Longwitz <longwitz@incore.de>
To: John Baldwin <jhb@FreeBSD.org>
Cc: bug-followup@freebsd.org, scottl@freebsd.org
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes
memory corruption and panic
Date: Thu, 19 Apr 2012 22:12:50 +0200
John,
I did several tests with your patch in 8.2 and everything works fine, if
I use the binary version of megarc with the patch included described in
ports/137938.
The original megarc sends amr_ioctl's with length 12868 (e.g. the first
ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the
controller with real_length=16384, but the controller returns 25412
Bytes. This happens all the time on nearly every megarc command, I think
this is a program error in megarc, he uses user_cmd=0xa104 with buffer
length 12868, but the firmware of the controller replies with 25412
bytes. So we have memory corruption of 25412 - 16384 = 9026 bytes. The
patch in ports/137938 changes the lenght field in megarc from 12868 to
25412 to avoid this problem. A line like
if( len == 12868 ) len = 25412;
would solve this problem in the driver. I did not find any other static
problems of this type.
Another story are dynamic problems. When the controller is very busy, I
see sometimes 1KB bytes returned from the controller, when lenght is
much lower. This problem is handled by your patch in all cases.
Andreas Longwitz
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204192020.q3JKKCIv002312>