Date: Mon, 08 Feb 2016 23:13:03 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207037] ixv driver uses uninitialized offset variable and writes into arbitrary pci config register Message-ID: <bug-207037-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207037 Bug ID: 207037 Summary: ixv driver uses uninitialized offset variable and writes into arbitrary pci config register Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: jlott@averesystems.com Created attachment 166768 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D166768&action= =3Dedit Patch to illustrate the problem In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(= dev, PCIY_MSIX, &rid). It is not checking the return code from that function and= the function appears to always be failing. This then causes the driver to use t= he rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, = but it could easily cause very subtle problems. Also the QEMU workaround is probably non-functional because of this. I've attached a patch for a partial solution that checks the error code and skips PCI write if it fails. This avoid the erroneous PCI accesses, but it would be better if we could figure out why finding the capability is failin= g (I have not debugged it that far). --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207037-8>