Date: Tue, 02 Feb 2016 18:20:50 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206573] Improper userland pointer handling in aacraid Message-ID: <bug-206573-8-t0aQUPo64h@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-206573-8@https.bugs.freebsd.org/bugzilla/> References: <bug-206573-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206573 landaire <landergriffith+freebsdbugzilla@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |landergriffith+freebsdbugzi | |lla@gmail.com --- Comment #2 from landaire <landergriffith+freebsdbugzilla@gmail.com> --- This bug is also present in the `aac` (not aacraid) code in the same functi= on: here: /* Retrieve correct SG entries. */ if (fibsize =3D=3D (sizeof(struct aac_srb) + srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry))) { sge =3D srbcmd->sg_map.SgEntry; sge64 =3D NULL; srb_sg_bytecount =3D sge->SgByteCount; srb_sg_address =3D (void *)(uintptr_t)sge->SgAddress; } and here: https://github.com/freebsd/freebsd/blob/bac8688b17d735d252ec75a94df67384938= f3f9b/sys/dev/aac/aac.c#L3114-L3122 #ifdef __amd64__ else if (fibsize =3D=3D (sizeof(struct aac_srb) + srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry64))) { sge =3D NULL; sge64 =3D (struct aac_sg_entry64 *)srbcmd->sg_map.SgEntry; srb_sg_bytecount =3D sge64->SgByteCount; ... } #endif --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206573-8-t0aQUPo64h>