Module Name: src Committed By: maxv Date: Mon Aug 15 08:52:33 UTC 2016
Modified Files: src/sys/dev/microcode/aic7xxx: aicasm.c Log Message: This thing is completely buggy. There is a use-after-free and NULL pointer dereference. Just fix the uaf, and add a comment. Not tested, but obvious enough; found by brainy. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/dev/microcode/aic7xxx/aicasm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/microcode/aic7xxx/aicasm.c diff -u src/sys/dev/microcode/aic7xxx/aicasm.c:1.8 src/sys/dev/microcode/aic7xxx/aicasm.c:1.9 --- src/sys/dev/microcode/aic7xxx/aicasm.c:1.8 Sun Dec 27 16:03:49 2009 +++ src/sys/dev/microcode/aic7xxx/aicasm.c Mon Aug 15 08:52:33 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: aicasm.c,v 1.8 2009/12/27 16:03:49 jakllsch Exp $ */ +/* $NetBSD: aicasm.c,v 1.9 2016/08/15 08:52:33 maxv Exp $ */ /* * Aic7xxx SCSI host adapter firmware asssembler @@ -43,7 +43,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: aicasm.c,v 1.8 2009/12/27 16:03:49 jakllsch Exp $"); +__RCSID("$NetBSD: aicasm.c,v 1.9 2016/08/15 08:52:33 maxv Exp $"); #include <sys/types.h> #include <sys/mman.h> @@ -595,6 +595,7 @@ output_listing(char *ifilename) putchar(input); } free(func_values); + func_values = NULL; fprintf(stdout, "\nThanks!\n"); } @@ -604,6 +605,11 @@ output_listing(char *ifilename) cur_instr != NULL; cur_instr = STAILQ_NEXT(cur_instr, links), instrcount++) { + /* + * XXX XXX XXX: What exactly are we trying to do here? + * 'func_values' is always NULL, so check_patch will + * necessarily crash. + */ if (check_patch(&cur_patch, instrcount, &skip_addr, func_values) == 0) { /* Don't count this instruction as it is in a patch