Date: Thu, 19 Apr 2012 20:20:12 GMT From: Andreas Longwitz <longwitz@incore.de> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic Message-ID: <201204192020.q3JKKCIv002312@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/155658; it has been noted by GNATS. From: Andreas Longwitz <longwitz@incore.de> To: John Baldwin <jhb@FreeBSD.org> Cc: bug-followup@freebsd.org, scottl@freebsd.org Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic Date: Thu, 19 Apr 2012 22:12:50 +0200 John, I did several tests with your patch in 8.2 and everything works fine, if I use the binary version of megarc with the patch included described in ports/137938. The original megarc sends amr_ioctl's with length 12868 (e.g. the first ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the controller with real_length=16384, but the controller returns 25412 Bytes. This happens all the time on nearly every megarc command, I think this is a program error in megarc, he uses user_cmd=0xa104 with buffer length 12868, but the firmware of the controller replies with 25412 bytes. So we have memory corruption of 25412 - 16384 = 9026 bytes. The patch in ports/137938 changes the lenght field in megarc from 12868 to 25412 to avoid this problem. A line like if( len == 12868 ) len = 25412; would solve this problem in the driver. I did not find any other static problems of this type. Another story are dynamic problems. When the controller is very busy, I see sometimes 1KB bytes returned from the controller, when lenght is much lower. This problem is handled by your patch in all cases. Andreas Longwitz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204192020.q3JKKCIv002312>