From: Dan Carpenter <dan.carpenter@oracle.com> To: "James E.J. Bottomley" <JBottomley@odin.com> Cc: linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] [SCSI] atp870u: 64 bit bug in probe() Date: Thu, 30 Jul 2015 00:36:05 +0300 [thread overview] Message-ID: <20150729213605.GD21784@mwanda> (raw) In-Reply-To: <20130904095002.GC13892@elgon.mountain> On 64 bit CPUs there is a memory corruption bug on probe(). It should be a u32 pointer instead of an unsigned long pointer or we write past the end of the setupdata[] array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Someone reported in 2003 that probe has a NULL deref so maybe it's related to this memory corruption? https://bugzilla.kernel.org/show_bug.cgi?id=1118 If only we had applied this patch when I originally sent it two years ago, then it would only be 10 years too late instead of 12! :P diff --git a/drivers/scsi/atp870u.c b/drivers/scsi/atp870u.c index 05301bc..62acabd 100644 --- a/drivers/scsi/atp870u.c +++ b/drivers/scsi/atp870u.c @@ -2791,11 +2791,11 @@ next_fblk_885: p->global_map[m]= 0; for (k=0; k < 4; k++) { outw(n++,base_io + 0x3c); - ((unsigned long *)&setupdata[m][0])[k]=inl(base_io + 0x38); + ((u32 *)&setupdata[m][0])[k]=inl(base_io + 0x38); } for (k=0; k < 4; k++) { outw(n++,base_io + 0x3c); - ((unsigned long *)&p->sp[m][0])[k]=inl(base_io + 0x38); + ((u32 *)&p->sp[m][0])[k]=inl(base_io + 0x38); } n += 8; }
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com> To: "James E.J. Bottomley" <JBottomley@odin.com> Cc: linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] [SCSI] atp870u: 64 bit bug in probe() Date: Wed, 29 Jul 2015 21:36:05 +0000 [thread overview] Message-ID: <20150729213605.GD21784@mwanda> (raw) In-Reply-To: <20130904095002.GC13892@elgon.mountain> On 64 bit CPUs there is a memory corruption bug on probe(). It should be a u32 pointer instead of an unsigned long pointer or we write past the end of the setupdata[] array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Someone reported in 2003 that probe has a NULL deref so maybe it's related to this memory corruption? https://bugzilla.kernel.org/show_bug.cgi?id\x1118 If only we had applied this patch when I originally sent it two years ago, then it would only be 10 years too late instead of 12! :P diff --git a/drivers/scsi/atp870u.c b/drivers/scsi/atp870u.c index 05301bc..62acabd 100644 --- a/drivers/scsi/atp870u.c +++ b/drivers/scsi/atp870u.c @@ -2791,11 +2791,11 @@ next_fblk_885: p->global_map[m]= 0; for (k=0; k < 4; k++) { outw(n++,base_io + 0x3c); - ((unsigned long *)&setupdata[m][0])[k]=inl(base_io + 0x38); + ((u32 *)&setupdata[m][0])[k]=inl(base_io + 0x38); } for (k=0; k < 4; k++) { outw(n++,base_io + 0x3c); - ((unsigned long *)&p->sp[m][0])[k]=inl(base_io + 0x38); + ((u32 *)&p->sp[m][0])[k]=inl(base_io + 0x38); } n += 8; }
next prev parent reply other threads:[~2015-07-29 21:36 UTC|newest] Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-09-04 9:50 [patch] [SCSI] atp870u: 64 bit bug in probe() Dan Carpenter 2013-09-04 9:50 ` Dan Carpenter 2015-07-29 21:36 ` Dan Carpenter [this message] 2015-07-29 21:36 ` Dan Carpenter 2015-07-30 6:54 ` Hannes Reinecke 2015-07-30 6:54 ` Hannes Reinecke 2015-12-09 10:24 ` [patch RESEND] atp870u: 64 bit bug in atp885_init() Dan Carpenter 2015-12-09 10:24 ` Dan Carpenter 2015-12-09 11:53 ` One Thousand Gnomes 2015-12-09 11:53 ` One Thousand Gnomes 2015-12-09 12:07 ` Ondrej Zary 2015-12-09 12:07 ` Ondrej Zary 2015-12-09 13:45 ` Dan Carpenter 2015-12-09 13:45 ` Dan Carpenter 2015-12-09 14:14 ` One Thousand Gnomes 2015-12-09 14:14 ` One Thousand Gnomes 2015-12-09 17:48 ` Dan Carpenter 2015-12-09 17:48 ` Dan Carpenter 2015-12-09 18:11 ` Julia Lawall 2015-12-09 18:11 ` Julia Lawall 2015-12-09 18:28 ` Dan Carpenter 2015-12-09 18:28 ` Dan Carpenter 2015-12-09 19:37 ` One Thousand Gnomes 2015-12-09 19:37 ` One Thousand Gnomes 2018-02-15 23:44 ` Martin K. Petersen 2018-02-15 23:44 ` Martin K. Petersen 2018-03-02 2:11 ` Martin K. Petersen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20150729213605.GD21784@mwanda \ --to=dan.carpenter@oracle.com \ --cc=JBottomley@odin.com \ --cc=kernel-janitors@vger.kernel.org \ --cc=linux-scsi@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.