On 12/07/2010 14:04, John Martin wrote:
On 07/12/10 05:05 AM, Rob McMahon wrote:
That can't be good. If state is not CPUPM_P_STATES
or CPUPM_T_STATES don't bother setting state_domain and then
immediately dereference some
garbage from the stack. Surely there should be at least an cmn_err and
return there, if not an assert ... I'm sure the function is always
called with state being one of the two, but still.
Agreed, this should be hardened.
However, cpupm_state_change() is only called from two places:
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/i86pc/os/cpupm/cpupm_throttle.c#360
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/i86pc/os/cpupm/cpupm_mach.c#735
with the state set to CPUPM_T_STATES or CPUPM_P_STATES.
There should not be a path where the uninitialized stack
pointer state_domain is dereferenced. Can we agree the
hardening should be filed as a P3/P4 and not P1/P2?
I've logged a bug on defect.opensolaris.org
*Bug 16519* <https://defect.opensolaris.org/bz/show_bug.cgi?id=16519> -
cpupm_state_change - possible uninitialized pointer dereference
I set it at P5 / minor, maybe it should be higher than that, but it's
certainly not P1/P2.
Cheers,
Rob
--
E-Mail: [email protected] PHONE: +44 24 7652 3037
Rob McMahon, IT Services, Warwick University, Coventry, CV4 7AL, England
_______________________________________________
pm-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pm-discuss
