On Wed, Aug 24, 2016 at 6:09 AM, Shawn Webb
<[email protected]> wrote:
On Tue, Aug 23, 2016 at 07:03:11PM +0000, Landon J. Fuller wrote:
Author: landonf
Date: Tue Aug 23 19:03:11 2016
New Revision: 304692
URL: https://svnweb.freebsd.org/changeset/base/304692
Log:
bhndb(4): Fix unsigned integer underflow in dynamic register
window
handling. This resulted in the window target being left
uninitialized
when an underflow occured.
Is this remotely exploitable? What are the ramifications of this bug?
As Michael noted, the WIP code isn't actively used anywhere, but if it
were: The target address of a PCI BAR mapping into SoC address space
could be left uninitialized, leading to a bhnd(4) bus driver
reading/writing to whatever SoC physical address range the window
happened to be pointing to -- most likely unmapped memory.
It's very unlikely that full driver attach and network interface
bring-up would succeed.
-landonf
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
