From owner-svn-src-all@freebsd.org Fri Dec 8 05:32:19 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 279D0E9AEB9; Fri, 8 Dec 2017 05:32:19 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7B0364CF7; Fri, 8 Dec 2017 05:32:18 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vB85WIqE034906; Fri, 8 Dec 2017 05:32:18 GMT (envelope-from asomers@FreeBSD.org) Received: (from asomers@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vB85WIa1034905; Fri, 8 Dec 2017 05:32:18 GMT (envelope-from asomers@FreeBSD.org) Message-Id: <201712080532.vB85WIa1034905@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: asomers set sender to asomers@FreeBSD.org using -f From: Alan Somers Date: Fri, 8 Dec 2017 05:32:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r326680 - stable/11/sys/cam/scsi X-SVN-Group: stable-11 X-SVN-Commit-Author: asomers X-SVN-Commit-Paths: stable/11/sys/cam/scsi X-SVN-Commit-Revision: 326680 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 05:32:19 -0000 Author: asomers Date: Fri Dec 8 05:32:17 2017 New Revision: 326680 URL: https://svnweb.freebsd.org/changeset/base/326680 Log: MFC r325947: Fix potential NULL pointer dereference of device physical path In scsi_dev_advinfo(), if the physical path is being stored and there is a malloc failure (malloc(9) is called with M_NOWAIT), we could wind up in a situation where the device's physpath_len is set to the length the user provided, but the physpath itself is NULL. If another context then comes in to fetch the physical path value, we would wind up trying to memcpy a NULL pointer into the caller's buffer. So, set the physpath_len to 0 when we free the physpath on entry into the store case for the physical path. Reset the length to a non-zero value only after we've successfully malloced a buffer to hold it. Submitted by: ken Reviewed by: asomers Sponsored by: Spectra Logic Corp Modified: stable/11/sys/cam/scsi/scsi_xpt.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/cam/scsi/scsi_xpt.c ============================================================================== --- stable/11/sys/cam/scsi/scsi_xpt.c Fri Dec 8 05:26:10 2017 (r326679) +++ stable/11/sys/cam/scsi/scsi_xpt.c Fri Dec 8 05:32:17 2017 (r326680) @@ -2506,8 +2506,8 @@ scsi_dev_advinfo(union ccb *start_ccb) if (device->physpath != NULL) { free(device->physpath, M_CAMXPT); device->physpath = NULL; + device->physpath_len = 0; } - device->physpath_len = cdai->bufsiz; /* Clear existing buffer if zero length */ if (cdai->bufsiz == 0) break; @@ -2516,6 +2516,7 @@ scsi_dev_advinfo(union ccb *start_ccb) start_ccb->ccb_h.status = CAM_REQ_ABORTED; return; } + device->physpath_len = cdai->bufsiz; memcpy(device->physpath, cdai->buf, cdai->bufsiz); } else { cdai->provsiz = device->physpath_len;