diff options
author | Brooks Davis <brooks@FreeBSD.org> | 2018-03-13 19:56:10 +0000 |
---|---|---|
committer | Brooks Davis <brooks@FreeBSD.org> | 2018-03-13 19:56:10 +0000 |
commit | 8037cdcd9ab4f8e62ceabdded0f43afb2a11df0f (patch) | |
tree | 39b9aaa20f06bc0f4c8aa358afbbd4b0e945a9e1 /sys/dev/isp | |
parent | cd1fd29c26d341bf99175e01c0a6c797340bdfe2 (diff) | |
download | src-8037cdcd9ab4f8e62ceabdded0f43afb2a11df0f.tar.gz src-8037cdcd9ab4f8e62ceabdded0f43afb2a11df0f.zip |
Fix ISP_FC_LIP and ISP_RESCAN on big-endian 64-bit systems.
For _IO() ioctls, addr is a pointer to uap->data which is a caddr_t.
When the caddr_t stores an int, dereferencing addr as an (int *) results
in truncation on little-endian 64-bit systems and corruption (owing to
extracting top bits) on big-endian 64-bit systems. In practice the
value of chan was probably always zero on systems of the latter type as
all such FreeBSD platforms use a register-based calling convention.
Reviewed by: mav
Obtained from: CheriBSD
MFC after: 1 week
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D14673
Notes
Notes:
svn path=/head/; revision=330876
Diffstat (limited to 'sys/dev/isp')
-rw-r--r-- | sys/dev/isp/isp_freebsd.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/isp/isp_freebsd.c b/sys/dev/isp/isp_freebsd.c index 464c80584c08..3f7850829b91 100644 --- a/sys/dev/isp/isp_freebsd.c +++ b/sys/dev/isp/isp_freebsd.c @@ -444,7 +444,7 @@ ispioctl(struct cdev *dev, u_long c, caddr_t addr, int flags, struct thread *td) case ISP_RESCAN: if (IS_FC(isp)) { - chan = *(int *)addr; + chan = *(intptr_t *)addr; if (chan < 0 || chan >= isp->isp_nchan) { retval = -ENXIO; break; @@ -461,7 +461,7 @@ ispioctl(struct cdev *dev, u_long c, caddr_t addr, int flags, struct thread *td) case ISP_FC_LIP: if (IS_FC(isp)) { - chan = *(int *)addr; + chan = *(intptr_t *)addr; if (chan < 0 || chan >= isp->isp_nchan) { retval = -ENXIO; break; |