Author: dab Date: Mon Mar 11 14:26:45 2019 New Revision: 345009 URL: https://svnweb.freebsd.org/changeset/base/345009
Log: Fix a scribbler in the PMS driver. The ESGL bit was left uninitialized when executing the REPORT LUNS ioctl. This could allow a zeroed data buffer to be treated as a scatter/gather list. The firmware would eventually walk past the end of the data buffer, potentially find what looked like a valid address/length pair, and write the result to semi-random memory. Obtained from: Dell EMC Isilon MFC after: 1 week Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D19398 Modified: head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Modified: head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c ============================================================================== --- head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 11 14:21:14 2019 (r345008) +++ head/sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c Mon Mar 11 14:26:45 2019 (r345009) @@ -1874,7 +1874,9 @@ tiNumOfLunIOCTLreq( agSSPFrame->dataLength = REPORT_LUN_LEN; agSSPFrame->agSgl.len = sizeof(agsaSSPCmdInfoUnit_t); - + agSSPFrame->agSgl.extReserved = 0; + CLEAR_ESGL_EXTEND(agSSPFrame->agSgl.extReserved); + status = saSSPStart(agRoot, agIORequest, 0, agDevHandle, agRequestType,agSASRequestBody,agNULL, &ossaSSPIoctlCompleted); if(status != AGSA_RC_SUCCESS) _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
