Date: Mon, 11 Mar 2019 14:26:45 +0000 (UTC) From: David Bright <dab@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r345009 - head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini Message-ID: <201903111426.x2BEQkgQ004384@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dab Date: Mon Mar 11 14:26:45 2019 New Revision: 345009 URL: https://svnweb.freebsd.org/changeset/base/345009 Log: Fix a scribbler in the PMS driver. The ESGL bit was left uninitialized when executing the REPORT LUNS ioctl. This could allow a zeroed data buffer to be treated as a scatter/gather list. The firmware would eventually walk past the end of the data buffer, potentially find what looked like a valid address/length pair, and write the result to semi-random memory. Obtained from: Dell EMC Isilon MFC after: 1 week Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D19398 Modified: head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Modified: head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c ============================================================================== --- head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 11 14:21:14 2019 (r345008) +++ head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 11 14:26:45 2019 (r345009) @@ -1874,7 +1874,9 @@ tiNumOfLunIOCTLreq( agSSPFrame->dataLength = REPORT_LUN_LEN; agSSPFrame->agSgl.len = sizeof(agsaSSPCmdInfoUnit_t); - + agSSPFrame->agSgl.extReserved = 0; + CLEAR_ESGL_EXTEND(agSSPFrame->agSgl.extReserved); + status = saSSPStart(agRoot, agIORequest, 0, agDevHandle, agRequestType,agSASRequestBody,agNULL, &ossaSSPIoctlCompleted); if(status != AGSA_RC_SUCCESS)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903111426.x2BEQkgQ004384>