From owner-svn-src-all@FreeBSD.ORG Mon Apr 15 17:35:14 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BE2FB527; Mon, 15 Apr 2013 17:35:14 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 96AD61051; Mon, 15 Apr 2013 17:35:14 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3FHZEsW006837; Mon, 15 Apr 2013 17:35:14 GMT (envelope-from trasz@svn.freebsd.org) Received: (from trasz@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3FHZEPr006836; Mon, 15 Apr 2013 17:35:14 GMT (envelope-from trasz@svn.freebsd.org) Message-Id: <201304151735.r3FHZEPr006836@svn.freebsd.org> From: Edward Tomasz Napierala Date: Mon, 15 Apr 2013 17:35:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r249515 - stable/9/sys/cam/ctl X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 17:35:14 -0000 Author: trasz Date: Mon Apr 15 17:35:14 2013 New Revision: 249515 URL: http://svnweb.freebsd.org/changeset/base/249515 Log: MFC r249026: Don't directly dereference userland pointer; instead use kernel pointer copied in from userspace. This fixes instant panic when creating CTL LUN on sparc64. Not a security problem, since the API is root-only. Modified: stable/9/sys/cam/ctl/ctl_backend_block.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/cam/ctl/ctl_backend_block.c ============================================================================== --- stable/9/sys/cam/ctl/ctl_backend_block.c Mon Apr 15 17:21:02 2013 (r249514) +++ stable/9/sys/cam/ctl/ctl_backend_block.c Mon Apr 15 17:35:14 2013 (r249515) @@ -1671,7 +1671,7 @@ ctl_be_block_create(struct ctl_be_block_ if (be_lun->ctl_be_lun.lun_type == T_DIRECT) { for (i = 0; i < req->num_be_args; i++) { - if (strcmp(req->kern_be_args[i].name, "file") == 0) { + if (strcmp(req->kern_be_args[i].kname, "file") == 0) { file_arg = &req->kern_be_args[i]; break; } @@ -1686,7 +1686,7 @@ ctl_be_block_create(struct ctl_be_block_ be_lun->dev_path = malloc(file_arg->vallen, M_CTLBLK, M_WAITOK | M_ZERO); - strlcpy(be_lun->dev_path, (char *)file_arg->value, + strlcpy(be_lun->dev_path, (char *)file_arg->kvalue, file_arg->vallen); retval = ctl_be_block_open(softc, be_lun, req); @@ -1725,7 +1725,7 @@ ctl_be_block_create(struct ctl_be_block_ * the loop above, */ for (i = 0; i < req->num_be_args; i++) { - if (strcmp(req->kern_be_args[i].name, "num_threads") == 0) { + if (strcmp(req->kern_be_args[i].kname, "num_threads") == 0) { struct ctl_be_arg *thread_arg; char num_thread_str[16]; int tmp_num_threads; @@ -1733,7 +1733,7 @@ ctl_be_block_create(struct ctl_be_block_ thread_arg = &req->kern_be_args[i]; - strlcpy(num_thread_str, (char *)thread_arg->value, + strlcpy(num_thread_str, (char *)thread_arg->kvalue, min(thread_arg->vallen, sizeof(num_thread_str)));