Date: Thu, 19 Apr 2012 20:20:12 GMT From: Andreas Longwitz <longwitz@incore.de> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic Message-ID: <201204192020.q3JKKCIv002312@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/155658; it has been noted by GNATS.
From: Andreas Longwitz <longwitz@incore.de>
To: John Baldwin <jhb@FreeBSD.org>
Cc: bug-followup@freebsd.org, scottl@freebsd.org
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes
memory corruption and panic
Date: Thu, 19 Apr 2012 22:12:50 +0200
John,
I did several tests with your patch in 8.2 and everything works fine, if
I use the binary version of megarc with the patch included described in
ports/137938.
The original megarc sends amr_ioctl's with length 12868 (e.g. the first
ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the
controller with real_length=16384, but the controller returns 25412
Bytes. This happens all the time on nearly every megarc command, I think
this is a program error in megarc, he uses user_cmd=0xa104 with buffer
length 12868, but the firmware of the controller replies with 25412
bytes. So we have memory corruption of 25412 - 16384 = 9026 bytes. The
patch in ports/137938 changes the lenght field in megarc from 12868 to
25412 to avoid this problem. A line like
if( len == 12868 ) len = 25412;
would solve this problem in the driver. I did not find any other static
problems of this type.
Another story are dynamic problems. When the controller is very busy, I
see sometimes 1KB bytes returned from the controller, when lenght is
much lower. This problem is handled by your patch in all cases.
Andreas Longwitz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204192020.q3JKKCIv002312>