From owner-freebsd-bugs@freebsd.org Mon Feb 8 23:13:04 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05EB7AA0326 for ; Mon, 8 Feb 2016 23:13:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D1529334 for ; Mon, 8 Feb 2016 23:13:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u18ND3C4071358 for ; Mon, 8 Feb 2016 23:13:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207037] ixv driver uses uninitialized offset variable and writes into arbitrary pci config register Date: Mon, 08 Feb 2016 23:13:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jlott@averesystems.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2016 23:13:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207037 Bug ID: 207037 Summary: ixv driver uses uninitialized offset variable and writes into arbitrary pci config register Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: jlott@averesystems.com Created attachment 166768 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D166768&action= =3Dedit Patch to illustrate the problem In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(= dev, PCIY_MSIX, &rid). It is not checking the return code from that function and= the function appears to always be failing. This then causes the driver to use t= he rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, = but it could easily cause very subtle problems. Also the QEMU workaround is probably non-functional because of this. I've attached a patch for a partial solution that checks the error code and skips PCI write if it fails. This avoid the erroneous PCI accesses, but it would be better if we could figure out why finding the capability is failin= g (I have not debugged it that far). --=20 You are receiving this mail because: You are the assignee for the bug.=