| Message ID | 20150729213605.GD21784@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 07/29/2015 11:36 PM, Dan Carpenter wrote: > On 64 bit CPUs there is a memory corruption bug on probe(). It should > be a u32 pointer instead of an unsigned long pointer or we write past > the end of the setupdata[] array. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > Someone reported in 2003 that probe has a NULL deref so maybe it's > related to this memory corruption? > https://bugzilla.kernel.org/show_bug.cgi?id=1118 > > If only we had applied this patch when I originally sent it two years > ago, then it would only be 10 years too late instead of 12! :P > Reviewed-by: Hannes Reinecke <hare@suse.com> Cheers, Hannes
diff --git a/drivers/scsi/atp870u.c b/drivers/scsi/atp870u.c index 05301bc..62acabd 100644 --- a/drivers/scsi/atp870u.c +++ b/drivers/scsi/atp870u.c @@ -2791,11 +2791,11 @@ next_fblk_885: p->global_map[m]= 0; for (k=0; k < 4; k++) { outw(n++,base_io + 0x3c); - ((unsigned long *)&setupdata[m][0])[k]=inl(base_io + 0x38); + ((u32 *)&setupdata[m][0])[k]=inl(base_io + 0x38); } for (k=0; k < 4; k++) { outw(n++,base_io + 0x3c); - ((unsigned long *)&p->sp[m][0])[k]=inl(base_io + 0x38); + ((u32 *)&p->sp[m][0])[k]=inl(base_io + 0x38); } n += 8; }
On 64 bit CPUs there is a memory corruption bug on probe(). It should be a u32 pointer instead of an unsigned long pointer or we write past the end of the setupdata[] array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Someone reported in 2003 that probe has a NULL deref so maybe it's related to this memory corruption? https://bugzilla.kernel.org/show_bug.cgi?id=1118 If only we had applied this patch when I originally sent it two years ago, then it would only be 10 years too late instead of 12! :P -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html