Module Name: src
Committed By: jdolecek
Date: Tue Jul 14 10:44:34 UTC 2020
Modified Files:
src/sys/dev/ic: ciss.c
Log Message:
only copy the actual command length in ciss_scsi_cmd(), instead of always
copying CISS_MAX_CDB bytes
Fixes reading past buffer memory triggered e.g. on kernel dump, reported
by KASAN:
ASan: Unauthorized Access In ...: Addr ... [16 bytes, read, RedZonePartial]
also do not pre-zero the cdb before copying cmd to it, there is no need for it
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/sys/dev/ic/ciss.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/ic/ciss.c
diff -u src/sys/dev/ic/ciss.c:1.45 src/sys/dev/ic/ciss.c:1.46
--- src/sys/dev/ic/ciss.c:1.45 Tue Jul 14 10:38:06 2020
+++ src/sys/dev/ic/ciss.c Tue Jul 14 10:44:34 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ciss.c,v 1.45 2020/07/14 10:38:06 jdolecek Exp $ */
+/* $NetBSD: ciss.c,v 1.46 2020/07/14 10:44:34 jdolecek Exp $ */
/* $OpenBSD: ciss.c,v 1.68 2013/05/30 16:15:02 deraadt Exp $ */
/*
@@ -19,7 +19,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.45 2020/07/14 10:38:06 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.46 2020/07/14 10:44:34 jdolecek Exp $");
#include "bio.h"
@@ -1225,8 +1225,7 @@ ciss_scsi_cmd(struct scsipi_channel *cha
else if (xs->xs_control & XS_CTL_DATA_OUT)
cmd->flags |= CISS_CDB_OUT;
cmd->tmo = htole16(xs->timeout < 1000? 1 : xs->timeout / 1000);
- memset(&cmd->cdb[0], 0, sizeof(cmd->cdb));
- memcpy(&cmd->cdb[0], xs->cmd, CISS_MAX_CDB);
+ memcpy(&cmd->cdb[0], xs->cmd, xs->cmdlen);
CISS_DPRINTF(CISS_D_CMD, ("cmd=%02x %02x %02x %02x %02x %02x ",
cmd->cdb[0], cmd->cdb[1], cmd->cdb[2],
cmd->cdb[3], cmd->cdb[4], cmd->cdb[5]));
