Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Apr 2013 16:50:50 +0000 (UTC)
From:      Edward Tomasz Napierala <trasz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r249026 - head/sys/cam/ctl
Message-ID:  <201304021650.r32GooXp064019@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: trasz
Date: Tue Apr  2 16:50:50 2013
New Revision: 249026
URL: http://svnweb.freebsd.org/changeset/base/249026

Log:
  Don't directly dereference userland pointer; instead use kernel pointer
  copied in from userspace.  This fixes instant panic when creating CTL LUN
  on sparc64.  Not a security problem, since the API is root-only.
  
  Reviewed by:	ken
  Sponsored by:	FreeBSD Foundation

Modified:
  head/sys/cam/ctl/ctl_backend_block.c

Modified: head/sys/cam/ctl/ctl_backend_block.c
==============================================================================
--- head/sys/cam/ctl/ctl_backend_block.c	Tue Apr  2 16:49:49 2013	(r249025)
+++ head/sys/cam/ctl/ctl_backend_block.c	Tue Apr  2 16:50:50 2013	(r249026)
@@ -1658,7 +1658,7 @@ ctl_be_block_create(struct ctl_be_block_
 
 	if (be_lun->ctl_be_lun.lun_type == T_DIRECT) {
 		for (i = 0; i < req->num_be_args; i++) {
-			if (strcmp(req->kern_be_args[i].name, "file") == 0) {
+			if (strcmp(req->kern_be_args[i].kname, "file") == 0) {
 				file_arg = &req->kern_be_args[i];
 				break;
 			}
@@ -1673,7 +1673,7 @@ ctl_be_block_create(struct ctl_be_block_
 		be_lun->dev_path = malloc(file_arg->vallen, M_CTLBLK,
 					  M_WAITOK | M_ZERO);
 
-		strlcpy(be_lun->dev_path, (char *)file_arg->value,
+		strlcpy(be_lun->dev_path, (char *)file_arg->kvalue,
 			file_arg->vallen);
 
 		retval = ctl_be_block_open(softc, be_lun, req);
@@ -1712,7 +1712,7 @@ ctl_be_block_create(struct ctl_be_block_
 	 * the loop above,
 	 */
 	for (i = 0; i < req->num_be_args; i++) {
-		if (strcmp(req->kern_be_args[i].name, "num_threads") == 0) {
+		if (strcmp(req->kern_be_args[i].kname, "num_threads") == 0) {
 			struct ctl_be_arg *thread_arg;
 			char num_thread_str[16];
 			int tmp_num_threads;
@@ -1720,7 +1720,7 @@ ctl_be_block_create(struct ctl_be_block_
 
 			thread_arg = &req->kern_be_args[i];
 
-			strlcpy(num_thread_str, (char *)thread_arg->value,
+			strlcpy(num_thread_str, (char *)thread_arg->kvalue,
 				min(thread_arg->vallen,
 				sizeof(num_thread_str)));

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304021650.r32GooXp064019>