Re: softraid_raid5: possible NULL dereference

2020-03-26 Thread Mark Kettenis 
> Date: Thu, 26 Mar 2020 01:03:26 +0100
> From: Tobias Heider 
> 
> sr_block_get() returns dma_alloc(length, PR_NOWAIT | PR_ZERO) which may be
> NULL if the memory pool is depleted.
> The result is used as 'dst' argument to memcpy() in the following call to
> sr_raid5_regenerate(), resulting in a possible NULL dereference.
> 
> ok?
> 
> Index: softraid_raid5.c
> ===
> RCS file: /mount/openbsd/cvs/src/sys/dev/softraid_raid5.c,v
> retrieving revision 1.29
> diff -u -p -r1.29 softraid_raid5.c
> --- softraid_raid5.c  8 Aug 2019 02:19:55 -   1.29
> +++ softraid_raid5.c  25 Mar 2020 23:54:25 -
> @@ -818,7 +818,8 @@ sr_raid5_rebuild(struct sr_discipline *s
>   wu_w = sr_scsi_wu_get(sd, 0);
>   wu_r = sr_scsi_wu_get(sd, 0);
>  
> - xorbuf = sr_block_get(sd, strip_size);
> + if ((xorbuf = sr_block_get(sd, strip_size)) == NULL)
> + goto bad;
>   if (sr_raid5_regenerate(wu_r, rebuild_chunk, chunk_lba,
>   strip_size, xorbuf))
>   goto bad;

As a matter of style, it is better to avoid assignments in if-statements.

Re: softraid_raid5: possible NULL dereference

2020-03-26 Thread Stefan Sperling 
On Thu, Mar 26, 2020 at 01:03:26AM +0100, Tobias Heider wrote:
> sr_block_get() returns dma_alloc(length, PR_NOWAIT | PR_ZERO) which may be
> NULL if the memory pool is depleted.
> The result is used as 'dst' argument to memcpy() in the following call to
> sr_raid5_regenerate(), resulting in a possible NULL dereference.
> 
> ok?
> 
> Index: softraid_raid5.c
> ===
> RCS file: /mount/openbsd/cvs/src/sys/dev/softraid_raid5.c,v
> retrieving revision 1.29
> diff -u -p -r1.29 softraid_raid5.c
> --- softraid_raid5.c  8 Aug 2019 02:19:55 -   1.29
> +++ softraid_raid5.c  25 Mar 2020 23:54:25 -
> @@ -818,7 +818,8 @@ sr_raid5_rebuild(struct sr_discipline *s
>   wu_w = sr_scsi_wu_get(sd, 0);
>   wu_r = sr_scsi_wu_get(sd, 0);
>  
> - xorbuf = sr_block_get(sd, strip_size);
> + if ((xorbuf = sr_block_get(sd, strip_size)) == NULL)
> + goto bad;
>   if (sr_raid5_regenerate(wu_r, rebuild_chunk, chunk_lba,
>   strip_size, xorbuf))
>   goto bad;
> 

Obvious fix. ok stsp@

Same problem is present in sr_raid5_scrub() which is currently in #if 0.

softraid_raid5: possible NULL dereference

2020-03-25 Thread Tobias Heider 
sr_block_get() returns dma_alloc(length, PR_NOWAIT | PR_ZERO) which may be
NULL if the memory pool is depleted.
The result is used as 'dst' argument to memcpy() in the following call to
sr_raid5_regenerate(), resulting in a possible NULL dereference.

ok?

Index: softraid_raid5.c
===
RCS file: /mount/openbsd/cvs/src/sys/dev/softraid_raid5.c,v
retrieving revision 1.29
diff -u -p -r1.29 softraid_raid5.c
--- softraid_raid5.c8 Aug 2019 02:19:55 -   1.29
+++ softraid_raid5.c25 Mar 2020 23:54:25 -
@@ -818,7 +818,8 @@ sr_raid5_rebuild(struct sr_discipline *s
wu_w = sr_scsi_wu_get(sd, 0);
wu_r = sr_scsi_wu_get(sd, 0);
 
-   xorbuf = sr_block_get(sd, strip_size);
+   if ((xorbuf = sr_block_get(sd, strip_size)) == NULL)
+   goto bad;
if (sr_raid5_regenerate(wu_r, rebuild_chunk, chunk_lba,
strip_size, xorbuf))
goto bad;