Date: Mon, 25 Mar 2019 17:04:14 +0000 (UTC) From: David Bright <dab@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r345507 - stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini Message-ID: <201903251704.x2PH4EQ5059466@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dab Date: Mon Mar 25 17:04:14 2019 New Revision: 345507 URL: https://svnweb.freebsd.org/changeset/base/345507 Log: MFC r345009: Fix a scribbler in the PMS driver. The ESGL bit was left uninitialized when executing the REPORT LUNS ioctl. This could allow a zeroed data buffer to be treated as a scatter/gather list. The firmware would eventually walk past the end of the data buffer, potentially find what looked like a valid address/length pair, and write the result to semi-random memory. Obtained from: Dell EMC Isilon Sponsored by: Dell EMC Isilon Modified: stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c ============================================================================== --- stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 25 17:03:39 2019 (r345506) +++ stable/11/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 25 17:04:14 2019 (r345507) @@ -1874,7 +1874,9 @@ tiNumOfLunIOCTLreq( agSSPFrame->dataLength = REPORT_LUN_LEN; agSSPFrame->agSgl.len = sizeof(agsaSSPCmdInfoUnit_t); - + agSSPFrame->agSgl.extReserved = 0; + CLEAR_ESGL_EXTEND(agSSPFrame->agSgl.extReserved); + status = saSSPStart(agRoot, agIORequest, 0, agDevHandle, agRequestType,agSASRequestBody,agNULL, &ossaSSPIoctlCompleted); if(status != AGSA_RC_SUCCESS)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903251704.x2PH4EQ5059466>