Date: Mon, 26 Dec 2022 20:21:27 -0800 From: Mark Millard <marklmi@yahoo.com> To: "jrtc27@freebsd.org" <jrtc27@FreeBSD.org>, freebsd-current <freebsd-current@freebsd.org>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Cc: freebsd-arm <freebsd-arm@freebsd.org> Subject: Re: ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads (Should it have been MFC'd?) Message-ID: <D735E4EB-4A1A-4C96-A07D-0D2CEC32A148@yahoo.com> In-Reply-To: <C66820FD-6BEB-4A7A-8D98-0C6F2DDC9519@yahoo.com> References: <C66820FD-6BEB-4A7A-8D98-0C6F2DDC9519@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 26, 2022, at 19:54, Mark Millard <marklmi@yahoo.com> wrote:
> Should the following have been MFC'd? (I ran into this while
> looking to see why I see a boot message oddity on 13.* that
> I do not see on main [so: 14]. There was a time when main
> also produced the odd messages. But I'm not claiming that
> this is what makes the difference. The oddity was observed
> on aarch64 RPi4B's.)
>=20
Never mind. I got myself confused over the history. 13.* does
not have the file at all.
> author Jessica Clarke <jrtc27@FreeBSD.org>2022-01-15 19:03:53 +0000
> committer Jessica Clarke <jrtc27@FreeBSD.org>2022-01-15 19:03:53 +0000
> commit 4e3a43905e3ff7b9fcf228022f05d636f79c4b42 (patch)
> tree b6be66e54604bb2c1fbdfde27bf8a6644e04fd05
> parent 3266a0c5d5abe8dd14de8478edec3e878e4a1c0b (diff)
> download src-4e3a43905e3ff7b9fcf228022f05d636f79c4b42.tar.gz
> src-4e3a43905e3ff7b9fcf228022f05d636f79c4b42.zip
>=20
> ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds =
reads
>=20
> We do not include sys/rman.h and so machine/resource.h ends up not =
being included by the time pci_private.h is included. This means =
PCI_RES_BUS is never defined, and so the sc_bus member of pci_softc is =
not present when compiling ofw_pci, resulting in the wrong softc size =
being passed to DEFINE_CLASS_1 and thus any attempts by pci(4) to access =
that member are out-of-bounds reads or writes.
>=20
> This is pretty fragile; arguably pci_private.h should be including =
sys/rman.h, but this is the minimal needed change to fix the bug whilst =
maintaining the status quo.
>=20
> Found by: CHERI
> Reported by: andrew=20
>=20
>=20
> Diffstat
> -rw-r--r-- sys/dev/ofw/ofw_pci.c 1
> 1 files changed, 1 insertions, 0 deletions
>=20
> diff --git a/sys/dev/ofw/ofw_pci.c b/sys/dev/ofw/ofw_pci.c
> index 7f7aad379ddc..4bd6ccd64420 100644
> --- a/sys/dev/ofw/ofw_pci.c
> +++ b/sys/dev/ofw/ofw_pci.c
> @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
> #include <sys/bus.h>
> #include <sys/kernel.h>
> #include <sys/module.h>
> +#include <sys/rman.h>
>=20
> #include <dev/pci/pcireg.h>
> #include <dev/pci/pcivar.h>
>=20
>=20
>=20
>=20
> (Note: leading whitespace might not be preserved.)
=3D=3D=3D
Mark Millard
marklmi at yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D735E4EB-4A1A-4C96-A07D-0D2CEC32A148>