From owner-svn-src-head@FreeBSD.ORG Tue Apr 2 16:50:50 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EBDC07B2; Tue, 2 Apr 2013 16:50:50 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id DEDDCF82; Tue, 2 Apr 2013 16:50:50 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r32Goo03064020; Tue, 2 Apr 2013 16:50:50 GMT (envelope-from trasz@svn.freebsd.org) Received: (from trasz@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r32GooXp064019; Tue, 2 Apr 2013 16:50:50 GMT (envelope-from trasz@svn.freebsd.org) Message-Id: <201304021650.r32GooXp064019@svn.freebsd.org> From: Edward Tomasz Napierala Date: Tue, 2 Apr 2013 16:50:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r249026 - head/sys/cam/ctl X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 16:50:51 -0000 Author: trasz Date: Tue Apr 2 16:50:50 2013 New Revision: 249026 URL: http://svnweb.freebsd.org/changeset/base/249026 Log: Don't directly dereference userland pointer; instead use kernel pointer copied in from userspace. This fixes instant panic when creating CTL LUN on sparc64. Not a security problem, since the API is root-only. Reviewed by: ken Sponsored by: FreeBSD Foundation Modified: head/sys/cam/ctl/ctl_backend_block.c Modified: head/sys/cam/ctl/ctl_backend_block.c ============================================================================== --- head/sys/cam/ctl/ctl_backend_block.c Tue Apr 2 16:49:49 2013 (r249025) +++ head/sys/cam/ctl/ctl_backend_block.c Tue Apr 2 16:50:50 2013 (r249026) @@ -1658,7 +1658,7 @@ ctl_be_block_create(struct ctl_be_block_ if (be_lun->ctl_be_lun.lun_type == T_DIRECT) { for (i = 0; i < req->num_be_args; i++) { - if (strcmp(req->kern_be_args[i].name, "file") == 0) { + if (strcmp(req->kern_be_args[i].kname, "file") == 0) { file_arg = &req->kern_be_args[i]; break; } @@ -1673,7 +1673,7 @@ ctl_be_block_create(struct ctl_be_block_ be_lun->dev_path = malloc(file_arg->vallen, M_CTLBLK, M_WAITOK | M_ZERO); - strlcpy(be_lun->dev_path, (char *)file_arg->value, + strlcpy(be_lun->dev_path, (char *)file_arg->kvalue, file_arg->vallen); retval = ctl_be_block_open(softc, be_lun, req); @@ -1712,7 +1712,7 @@ ctl_be_block_create(struct ctl_be_block_ * the loop above, */ for (i = 0; i < req->num_be_args; i++) { - if (strcmp(req->kern_be_args[i].name, "num_threads") == 0) { + if (strcmp(req->kern_be_args[i].kname, "num_threads") == 0) { struct ctl_be_arg *thread_arg; char num_thread_str[16]; int tmp_num_threads; @@ -1720,7 +1720,7 @@ ctl_be_block_create(struct ctl_be_block_ thread_arg = &req->kern_be_args[i]; - strlcpy(num_thread_str, (char *)thread_arg->value, + strlcpy(num_thread_str, (char *)thread_arg->kvalue, min(thread_arg->vallen, sizeof(num_thread_str)));