Author: brooks Date: Tue Mar 13 19:56:10 2018 New Revision: 330876 URL: https://svnweb.freebsd.org/changeset/base/330876
Log: Fix ISP_FC_LIP and ISP_RESCAN on big-endian 64-bit systems. For _IO() ioctls, addr is a pointer to uap->data which is a caddr_t. When the caddr_t stores an int, dereferencing addr as an (int *) results in truncation on little-endian 64-bit systems and corruption (owing to extracting top bits) on big-endian 64-bit systems. In practice the value of chan was probably always zero on systems of the latter type as all such FreeBSD platforms use a register-based calling convention. Reviewed by: mav Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14673 Modified: head/sys/dev/isp/isp_freebsd.c Modified: head/sys/dev/isp/isp_freebsd.c ============================================================================== --- head/sys/dev/isp/isp_freebsd.c Tue Mar 13 19:49:06 2018 (r330875) +++ head/sys/dev/isp/isp_freebsd.c Tue Mar 13 19:56:10 2018 (r330876) @@ -444,7 +444,7 @@ ispioctl(struct cdev *dev, u_long c, caddr_t addr, int case ISP_RESCAN: if (IS_FC(isp)) { - chan = *(int *)addr; + chan = *(intptr_t *)addr; if (chan < 0 || chan >= isp->isp_nchan) { retval = -ENXIO; break; @@ -461,7 +461,7 @@ ispioctl(struct cdev *dev, u_long c, caddr_t addr, int case ISP_FC_LIP: if (IS_FC(isp)) { - chan = *(int *)addr; + chan = *(intptr_t *)addr; if (chan < 0 || chan >= isp->isp_nchan) { retval = -ENXIO; break; _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"