>Number: 170003
>Category: kern
>Synopsis: [ichsmb] buffer overflow during block read
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 19 19:20:13 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Mark Johnston
>Release: CURRENT
>Organization:
Sandvine Inc.
>Environment:
FreeBSD oddish 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r237931+09aeb19-dirty: Sun
Jul 1 13:10:47 EDT 2012
mark@oddish:/home/mark/src/obj/usr/home/mark/src/freebsd/sys/GENERIC amd64
>Description:
ichsmb(4) uses a 32-byte buffer in the softc to hold the bytes received from a
block read command. When such a command is issued, the hardware is supposed to
fill out the host data 0 register with the number of bytes to be returned. Some
devices return more than 32 bytes for some reason, causing ichsmb to clobber
parts of its softc. In my case, the mutex gets overwritten, leading to a panic
during execution of the next smbus command.
>How-To-Repeat:
It may not be reproducible depending on the devices available on the bus. Try
running the program here:
http://www.student.cs.uwaterloo.ca/~m6johnst/smbbread.c
>Fix:
Attached patch.
Patch attached with submission follows:
diff --git a/sys/dev/ichsmb/ichsmb.c b/sys/dev/ichsmb/ichsmb.c
index 5ff54db..ac4d191 100644
--- a/sys/dev/ichsmb/ichsmb.c
+++ b/sys/dev/ichsmb/ichsmb.c
@@ -575,8 +575,9 @@ ichsmb_device_intr(void *cookie)
/* First interrupt, get the count also */
if (sc->block_index == 0) {
- sc->block_count = bus_read_1(
- sc->io_res, ICH_D0);
+ sc->block_count = min(
+ bus_read_1(sc->io_res, ICH_D0),
+ sizeof(sc->block_data));
}
/* Get next byte, if any */
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
