Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Apr 2013 17:35:14 +0000 (UTC)
From:      Edward Tomasz Napierala <trasz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r249515 - stable/9/sys/cam/ctl
Message-ID:  <201304151735.r3FHZEPr006836@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: trasz
Date: Mon Apr 15 17:35:14 2013
New Revision: 249515
URL: http://svnweb.freebsd.org/changeset/base/249515

Log:
  MFC r249026:
  
  Don't directly dereference userland pointer; instead use kernel pointer
  copied in from userspace.  This fixes instant panic when creating CTL LUN
  on sparc64.  Not a security problem, since the API is root-only.

Modified:
  stable/9/sys/cam/ctl/ctl_backend_block.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/cam/ctl/ctl_backend_block.c
==============================================================================
--- stable/9/sys/cam/ctl/ctl_backend_block.c	Mon Apr 15 17:21:02 2013	(r249514)
+++ stable/9/sys/cam/ctl/ctl_backend_block.c	Mon Apr 15 17:35:14 2013	(r249515)
@@ -1671,7 +1671,7 @@ ctl_be_block_create(struct ctl_be_block_
 
 	if (be_lun->ctl_be_lun.lun_type == T_DIRECT) {
 		for (i = 0; i < req->num_be_args; i++) {
-			if (strcmp(req->kern_be_args[i].name, "file") == 0) {
+			if (strcmp(req->kern_be_args[i].kname, "file") == 0) {
 				file_arg = &req->kern_be_args[i];
 				break;
 			}
@@ -1686,7 +1686,7 @@ ctl_be_block_create(struct ctl_be_block_
 		be_lun->dev_path = malloc(file_arg->vallen, M_CTLBLK,
 					  M_WAITOK | M_ZERO);
 
-		strlcpy(be_lun->dev_path, (char *)file_arg->value,
+		strlcpy(be_lun->dev_path, (char *)file_arg->kvalue,
 			file_arg->vallen);
 
 		retval = ctl_be_block_open(softc, be_lun, req);
@@ -1725,7 +1725,7 @@ ctl_be_block_create(struct ctl_be_block_
 	 * the loop above,
 	 */
 	for (i = 0; i < req->num_be_args; i++) {
-		if (strcmp(req->kern_be_args[i].name, "num_threads") == 0) {
+		if (strcmp(req->kern_be_args[i].kname, "num_threads") == 0) {
 			struct ctl_be_arg *thread_arg;
 			char num_thread_str[16];
 			int tmp_num_threads;
@@ -1733,7 +1733,7 @@ ctl_be_block_create(struct ctl_be_block_
 
 			thread_arg = &req->kern_be_args[i];
 
-			strlcpy(num_thread_str, (char *)thread_arg->value,
+			strlcpy(num_thread_str, (char *)thread_arg->kvalue,
 				min(thread_arg->vallen,
 				sizeof(num_thread_str)));

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304151735.r3FHZEPr006836>