From owner-freebsd-bugs@FreeBSD.ORG  Thu Apr 19 20:50:11 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 652A5106566B
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Apr 2012 20:50:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 501AD8FC08
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Apr 2012 20:50:11 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q3JKoBmp031405
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 19 Apr 2012 20:50:11 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q3JKoBhs031404;
	Thu, 19 Apr 2012 20:50:11 GMT (envelope-from gnats)
Date: Thu, 19 Apr 2012 20:50:11 GMT
Message-Id: <201204192050.q3JKoBhs031404@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: John Baldwin <jhb@freebsd.org>
Cc: 
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes
	memory corruption and panic
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: John Baldwin <jhb@freebsd.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2012 20:50:11 -0000

The following reply was made to PR kern/155658; it has been noted by GNATS.

From: John Baldwin <jhb@freebsd.org>
To: Andreas Longwitz <longwitz@incore.de>
Cc: bug-followup@freebsd.org,
 scottl@freebsd.org
Subject: Re: kern/155658: [amr] [patch] amr_ioctl(): call of malloc() causes memory corruption and panic
Date: Thu, 19 Apr 2012 16:49:45 -0400

 On Thursday, April 19, 2012 4:12:50 pm Andreas Longwitz wrote:
 > John,
 > I did several tests with your patch in 8.2 and everything works fine, if
 > I use the binary version of megarc with the patch included described in
 > ports/137938.
 > 
 > The original megarc sends amr_ioctl's with length 12868 (e.g. the first
 > ioctl of the command "megarc -ctlrinfo -a0") and your patch calls the
 > controller with real_length=16384, but the controller returns 25412
 > Bytes. This happens all the time on nearly every megarc command, I think
 > this is a program error in megarc, he uses user_cmd=0xa104 with buffer
 > length 12868, but the firmware of the controller replies with 25412
 > bytes. So we have memory corruption of 25412 - 16384 = 9026 bytes. The
 > patch in ports/137938 changes the lenght field in megarc from 12868 to
 > 25412 to avoid this problem. A line like
 >        if( len == 12868 ) len = 25412;
 > would solve this problem in the driver. I did not find any other static
 > problems of this type.
 > 
 > Another story are dynamic problems. When the controller is very busy, I
 > see sometimes 1KB bytes returned from the controller, when lenght is
 > much lower. This problem is handled by your patch in all cases.
 
 Hmm, given the above, I'm tempted to just force the buffer to always be at
 least 32k.  Scott, what do you think about that?
 
 -- 
 John Baldwin