Date: Tue, 13 Jul 2021 20:13:49 GMT From: Warner Losh <imp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 431ddd94360a - main - Fix potential NULL pointer dereference of device physical path Message-ID: <202107132013.16DKDn1R098718@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=431ddd94360a9e86c91294eaa2c7b859911984b7 commit 431ddd94360a9e86c91294eaa2c7b859911984b7 Author: Young Xiao <92siuyang@gmail.com> AuthorDate: 2019-05-21 07:36:29 +0000 Commit: Warner Losh <imp@FreeBSD.org> CommitDate: 2021-07-13 20:13:21 +0000 Fix potential NULL pointer dereference of device physical path In ata_dev_advinfo() and nvme_dev_advinfo(), if the physical path is being stored and there is a malloc failure (malloc(9) is called with M_NOWAIT), we could wind up in a situation where the device's physpath_len is set to the length the user provided, but the physpath itself is NULL. If another context then comes in to fetch the physical path value, we would wind up trying to memcpy a NULL pointer into the caller's buffer. So, set the physpath_len to 0 when we free the physpath on entry into the store case for the physical path. Reset the length to a non-zero value only after we've successfully malloced a buffer to hold it. This code mirrors scsi_xpt.c does already as well. Signed-off-by: Young Xiao <92siuyang@gmail.com> Reviewed by: imp PR: 238014 --- sys/cam/ata/ata_xpt.c | 7 +++++-- sys/cam/nvme/nvme_xpt.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/sys/cam/ata/ata_xpt.c b/sys/cam/ata/ata_xpt.c index 08ce945a0938..946763342160 100644 --- a/sys/cam/ata/ata_xpt.c +++ b/sys/cam/ata/ata_xpt.c @@ -1758,9 +1758,11 @@ ata_dev_advinfo(union ccb *start_ccb) break; case CDAI_TYPE_PHYS_PATH: if (cdai->flags & CDAI_FLAG_STORE) { - if (device->physpath != NULL) + if (device->physpath != NULL) { free(device->physpath, M_CAMXPT); - device->physpath_len = cdai->bufsiz; + device->physpath = NULL; + device->physpath_len = 0; + } /* Clear existing buffer if zero length */ if (cdai->bufsiz == 0) break; @@ -1769,6 +1771,7 @@ ata_dev_advinfo(union ccb *start_ccb) start_ccb->ccb_h.status = CAM_REQ_ABORTED; return; } + device->physpath_len = cdai->bufsiz; memcpy(device->physpath, cdai->buf, cdai->bufsiz); } else { cdai->provsiz = device->physpath_len; diff --git a/sys/cam/nvme/nvme_xpt.c b/sys/cam/nvme/nvme_xpt.c index 0fc359ecb042..22d984d02038 100644 --- a/sys/cam/nvme/nvme_xpt.c +++ b/sys/cam/nvme/nvme_xpt.c @@ -683,9 +683,11 @@ nvme_dev_advinfo(union ccb *start_ccb) break; case CDAI_TYPE_PHYS_PATH: if (cdai->flags & CDAI_FLAG_STORE) { - if (device->physpath != NULL) + if (device->physpath != NULL) { free(device->physpath, M_CAMXPT); - device->physpath_len = cdai->bufsiz; + device->physpath = NULL; + device->physpath_len = 0; + } /* Clear existing buffer if zero length */ if (cdai->bufsiz == 0) break; @@ -694,6 +696,7 @@ nvme_dev_advinfo(union ccb *start_ccb) start_ccb->ccb_h.status = CAM_REQ_ABORTED; return; } + device->physpath_len = cdai->bufsiz; memcpy(device->physpath, cdai->buf, cdai->bufsiz); } else { cdai->provsiz = device->physpath_len;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107132013.16DKDn1R098718>