mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-30 05:36:10 +00:00
fwcontrol: Allocate full fw_asyreq structures passed to the kernel
Some checks are pending
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-14, /usr/lib/llvm-14/bin, ubuntu-22.04, bmake libarchive-dev clang-14 lld-14, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-14, /usr/lib/llvm-14/bin, ubuntu-22.04, bmake libarchive-dev clang-14 lld-14, amd64, amd64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-13, /opt/homebrew/opt/llvm@13/bin, macos-latest, bmake libarchive llvm@13, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-13, /opt/homebrew/opt/llvm@13/bin, macos-latest, bmake libarchive llvm@13, amd64, amd64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-12, /usr/lib/llvm-12/bin, ubuntu-20.04, bmake libarchive-dev clang-12 lld-12, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-12, /usr/lib/llvm-12/bin, ubuntu-20.04, bmake libarchive-dev clang-12 lld-12, amd64, amd64) (push) Waiting to run
Some checks are pending
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-14, /usr/lib/llvm-14/bin, ubuntu-22.04, bmake libarchive-dev clang-14 lld-14, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-14, /usr/lib/llvm-14/bin, ubuntu-22.04, bmake libarchive-dev clang-14 lld-14, amd64, amd64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-13, /opt/homebrew/opt/llvm@13/bin, macos-latest, bmake libarchive llvm@13, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-13, /opt/homebrew/opt/llvm@13/bin, macos-latest, bmake libarchive llvm@13, amd64, amd64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-12, /usr/lib/llvm-12/bin, ubuntu-20.04, bmake libarchive-dev clang-12 lld-12, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-12, /usr/lib/llvm-12/bin, ubuntu-20.04, bmake libarchive-dev clang-12 lld-12, amd64, amd64) (push) Waiting to run
The FW_ASYREQ ioctl accepts a struct fw_asyreq object as its argument, meaning that the kernel always copies in the full structure in sys_ioctl before passing the request down to the driver. However, fwcontrol was allocating smaller objects that contained only the request header and a variable-sized payload. This means that the kernel copy in sys_ioctl was reading off the end of this buffer. On current architectures this happened to be ok, but it is UB. Instead, allocate a full structure. Reported by: GCC 14 -Walloc-size Reviewed by: rlibby, brooks Differential Revision: https://reviews.freebsd.org/D46014
This commit is contained in:
parent
2ba12978f6
commit
9494dfe1b3
|
@ -207,7 +207,7 @@ read_write_quad(int fd, struct fw_eui64 eui, u_int32_t addr_lo, int readmode, u_
|
|||
struct fw_asyreq *asyreq;
|
||||
u_int32_t *qld, res;
|
||||
|
||||
asyreq = (struct fw_asyreq *)malloc(sizeof(struct fw_asyreq_t) + 16);
|
||||
asyreq = malloc(sizeof(*asyreq));
|
||||
if (asyreq == NULL)
|
||||
err(EX_SOFTWARE, "%s:asyreq malloc", __func__);
|
||||
asyreq->req.len = 16;
|
||||
|
@ -262,7 +262,7 @@ send_phy_config(int fd, int root_node, int gap_count)
|
|||
{
|
||||
struct fw_asyreq *asyreq;
|
||||
|
||||
asyreq = (struct fw_asyreq *)malloc(sizeof(struct fw_asyreq_t) + 12);
|
||||
asyreq = malloc(sizeof(*asyreq));
|
||||
if (asyreq == NULL)
|
||||
err(EX_SOFTWARE, "%s:asyreq malloc", __func__);
|
||||
asyreq->req.len = 12;
|
||||
|
@ -289,7 +289,7 @@ link_on(int fd, int node)
|
|||
{
|
||||
struct fw_asyreq *asyreq;
|
||||
|
||||
asyreq = (struct fw_asyreq *)malloc(sizeof(struct fw_asyreq_t) + 12);
|
||||
asyreq = malloc(sizeof(*asyreq));
|
||||
if (asyreq == NULL)
|
||||
err(EX_SOFTWARE, "%s:asyreq malloc", __func__);
|
||||
asyreq->req.len = 12;
|
||||
|
@ -308,7 +308,7 @@ reset_start(int fd, int node)
|
|||
{
|
||||
struct fw_asyreq *asyreq;
|
||||
|
||||
asyreq = (struct fw_asyreq *)malloc(sizeof(struct fw_asyreq_t) + 16);
|
||||
asyreq = malloc(sizeof(*asyreq));
|
||||
if (asyreq == NULL)
|
||||
err(EX_SOFTWARE, "%s:asyreq malloc", __func__);
|
||||
asyreq->req.len = 16;
|
||||
|
|
Loading…
Reference in a new issue