Bug #4233
mptsas topo change buffer overflow
Added by Hans Rosenfeld over 7 years ago.
Updated about 7 years ago.
Description
There is a nasty little buffer overflow in the SMHBA code in mpt_sas.
When a directly attached device is plugged in, mptsas_handle_topo_change() will try to update the phy properties for SMHBA by calling mptsas_smhba_set_phy_props() for one (1) phy. Mptsas_smhba_set_phy_props() will allocate space for one nvlist pointer according to the phy_nums argument. Later when it iterates over all phys and sets the properties for those that have a matching phy_mask, it does not check phy_nums and will happily write past the end of the nvlist pointer array.
- % Done changed from 0 to 90
Webrev: http://cr.illumos.org/~webrev/hans/illumos-4233-webrev/
To fix this, I split mptsas_smhba_set_phy_props(). Mptsas_smhba_set_all_phy_props() behaves just as mptsas_smhba_set_phy_props() did before, setting the properties for all matching phys. The new function mptsas_smhba_set_one_phy_props() will set the properties for just one phy, instead of a phy_mask it takes the PHY# as argument. Common code lives in two helper functions now.
While at it, I did some minor cleanups in the code that I had to touch anyway.
I tested this with sas-info, the output is the same as before.
- Status changed from New to Resolved
- % Done changed from 90 to 100
- Tags deleted (
needs-triage)
Resolved in 8b1f072cdb7c7ae7c166fc48e2f1988fc5fbb3f4.
Also available in: Atom
PDF