From: Dan Carpenter <dan.carpenter@oracle.com>
To: "James E.J. Bottomley" <JBottomley@odin.com>
Cc: linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] [SCSI] atp870u: 64 bit bug in probe()
Date: Thu, 30 Jul 2015 00:36:05 +0300 [thread overview]
Message-ID: <20150729213605.GD21784@mwanda> (raw)
In-Reply-To: <20130904095002.GC13892@elgon.mountain>
On 64 bit CPUs there is a memory corruption bug on probe(). It should
be a u32 pointer instead of an unsigned long pointer or we write past
the end of the setupdata[] array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Someone reported in 2003 that probe has a NULL deref so maybe it's
related to this memory corruption?
https://bugzilla.kernel.org/show_bug.cgi?id=1118
If only we had applied this patch when I originally sent it two years
ago, then it would only be 10 years too late instead of 12! :P
diff --git a/drivers/scsi/atp870u.c b/drivers/scsi/atp870u.c
index 05301bc..62acabd 100644
--- a/drivers/scsi/atp870u.c
+++ b/drivers/scsi/atp870u.c
@@ -2791,11 +2791,11 @@ next_fblk_885:
p->global_map[m]= 0;
for (k=0; k < 4; k++) {
outw(n++,base_io + 0x3c);
- ((unsigned long *)&setupdata[m][0])[k]=inl(base_io + 0x38);
+ ((u32 *)&setupdata[m][0])[k]=inl(base_io + 0x38);
}
for (k=0; k < 4; k++) {
outw(n++,base_io + 0x3c);
- ((unsigned long *)&p->sp[m][0])[k]=inl(base_io + 0x38);
+ ((u32 *)&p->sp[m][0])[k]=inl(base_io + 0x38);
}
n += 8;
}
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: "James E.J. Bottomley" <JBottomley@odin.com>
Cc: linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] [SCSI] atp870u: 64 bit bug in probe()
Date: Wed, 29 Jul 2015 21:36:05 +0000 [thread overview]
Message-ID: <20150729213605.GD21784@mwanda> (raw)
In-Reply-To: <20130904095002.GC13892@elgon.mountain>
On 64 bit CPUs there is a memory corruption bug on probe(). It should
be a u32 pointer instead of an unsigned long pointer or we write past
the end of the setupdata[] array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Someone reported in 2003 that probe has a NULL deref so maybe it's
related to this memory corruption?
https://bugzilla.kernel.org/show_bug.cgi?id\x1118
If only we had applied this patch when I originally sent it two years
ago, then it would only be 10 years too late instead of 12! :P
diff --git a/drivers/scsi/atp870u.c b/drivers/scsi/atp870u.c
index 05301bc..62acabd 100644
--- a/drivers/scsi/atp870u.c
+++ b/drivers/scsi/atp870u.c
@@ -2791,11 +2791,11 @@ next_fblk_885:
p->global_map[m]= 0;
for (k=0; k < 4; k++) {
outw(n++,base_io + 0x3c);
- ((unsigned long *)&setupdata[m][0])[k]=inl(base_io + 0x38);
+ ((u32 *)&setupdata[m][0])[k]=inl(base_io + 0x38);
}
for (k=0; k < 4; k++) {
outw(n++,base_io + 0x3c);
- ((unsigned long *)&p->sp[m][0])[k]=inl(base_io + 0x38);
+ ((u32 *)&p->sp[m][0])[k]=inl(base_io + 0x38);
}
n += 8;
}
next prev parent reply other threads:[~2015-07-29 21:36 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-04 9:50 [patch] [SCSI] atp870u: 64 bit bug in probe() Dan Carpenter
2013-09-04 9:50 ` Dan Carpenter
2015-07-29 21:36 ` Dan Carpenter [this message]
2015-07-29 21:36 ` Dan Carpenter
2015-07-30 6:54 ` Hannes Reinecke
2015-07-30 6:54 ` Hannes Reinecke
2015-12-09 10:24 ` [patch RESEND] atp870u: 64 bit bug in atp885_init() Dan Carpenter
2015-12-09 10:24 ` Dan Carpenter
2015-12-09 11:53 ` One Thousand Gnomes
2015-12-09 11:53 ` One Thousand Gnomes
2015-12-09 12:07 ` Ondrej Zary
2015-12-09 12:07 ` Ondrej Zary
2015-12-09 13:45 ` Dan Carpenter
2015-12-09 13:45 ` Dan Carpenter
2015-12-09 14:14 ` One Thousand Gnomes
2015-12-09 14:14 ` One Thousand Gnomes
2015-12-09 17:48 ` Dan Carpenter
2015-12-09 17:48 ` Dan Carpenter
2015-12-09 18:11 ` Julia Lawall
2015-12-09 18:11 ` Julia Lawall
2015-12-09 18:28 ` Dan Carpenter
2015-12-09 18:28 ` Dan Carpenter
2015-12-09 19:37 ` One Thousand Gnomes
2015-12-09 19:37 ` One Thousand Gnomes
2018-02-15 23:44 ` Martin K. Petersen
2018-02-15 23:44 ` Martin K. Petersen
2018-03-02 2:11 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150729213605.GD21784@mwanda \
--to=dan.carpenter@oracle.com \
--cc=JBottomley@odin.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.