mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-27 08:00:11 +00:00
Code Issues Releases Activity

Fix potential NULL pointer dereference of device physical path

Browse Source 
In ata_dev_advinfo() and nvme_dev_advinfo(), if the physical path is
being stored and there is a malloc failure (malloc(9) is called with
M_NOWAIT), we could wind up in a situation where the device's
physpath_len is set to the length the user provided, but the physpath
itself is NULL.

If another context then comes in to fetch the physical path value, we
would wind up trying to memcpy a NULL pointer into the caller's buffer.

So, set the physpath_len to 0 when we free the physpath on entry into
the store case for the physical path.  Reset the length to a non-zero
value only after we've successfully malloced a buffer to hold it.

This code mirrors scsi_xpt.c does already as well.

Signed-off-by:	Young Xiao <92siuyang@gmail.com>
Reviewed by:	imp
PR:		238014
This commit is contained in:
Young Xiao 2019-05-21 15:36:29 +08:00 committed by Warner Losh
parent b5c74dfd64
commit 431ddd9436
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/cam/ata/ata_xpt.c
View File

@ -1758,9 +1758,11 @@ ata_dev_advinfo(union ccb *start_ccb)
break;
case CDAI_TYPE_PHYS_PATH:
if (cdai->flags & CDAI_FLAG_STORE) {
if (device->physpath != NULL)
if (device->physpath != NULL) {
free(device->physpath, M_CAMXPT);
device->physpath_len = cdai->bufsiz;
device->physpath = NULL;
device->physpath_len = 0;
}
/* Clear existing buffer if zero length */
if (cdai->bufsiz == 0)
break;
@ -1769,6 +1771,7 @@ ata_dev_advinfo(union ccb *start_ccb)
start_ccb->ccb_h.status = CAM_REQ_ABORTED;
return;
}
device->physpath_len = cdai->bufsiz;
memcpy(device->physpath, cdai->buf, cdai->bufsiz);
} else {
cdai->provsiz = device->physpath_len;

7
sys/cam/nvme/nvme_xpt.c
View File

@ -683,9 +683,11 @@ nvme_dev_advinfo(union ccb *start_ccb)
break;
case CDAI_TYPE_PHYS_PATH:
if (cdai->flags & CDAI_FLAG_STORE) {
if (device->physpath != NULL)
if (device->physpath != NULL) {
free(device->physpath, M_CAMXPT);
device->physpath_len = cdai->bufsiz;
device->physpath = NULL;
device->physpath_len = 0;
}
/* Clear existing buffer if zero length */
if (cdai->bufsiz == 0)
break;
@ -694,6 +696,7 @@ nvme_dev_advinfo(union ccb *start_ccb)
start_ccb->ccb_h.status = CAM_REQ_ABORTED;
return;
}
device->physpath_len = cdai->bufsiz;
memcpy(device->physpath, cdai->buf, cdai->bufsiz);
} else {
cdai->provsiz = device->physpath_len;