kern/89878: [PATCH] pccard.c:pccard_safe_quote() unsafe
Adrian Steinmann
ast at marabu.ch
Sat Dec 3 09:30:28 GMT 2005
>Number: 89878
>Category: kern
>Synopsis: [PATCH] pccard.c:pccard_safe_quote() unsafe
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 03 09:30:05 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Adrian Steinmann
>Release: FreeBSD 6.0-STABLE i386
>Organization:
Webgroup Consulting AG
>Environment:
System: FreeBSD nico.marabu.ch 6.0-STABLE FreeBSD 6.0-STABLE #8: Sat Dec 3 09:26:04 CET 2005 root at nico.marabu.ch:/usr/obj/usr/src/sys/NIC i386
Also in -current
>Description:
panic when TDK 128MB CF is inserted with pccard adapter
>How-To-Repeat:
insert pccard adapter holding a TDK 128MB CF
>Fix:
The routine pccard_safe_quote() in
sys/dev/pccard/pccard.c:993:pccard_safe_quote(char *dst, const char *src, size_t len)
does not check if src is NULL but this may be the case, because
they are initialized as such:
sys/dev/pccard/pccard_cis.c:88: state.card->cis1_info[0] = NULL;
sys/dev/pccard/pccard_cis.c:89: state.card->cis1_info[1] = NULL;
sys/dev/pccard/pccard_cis.c:90: state.card->cis1_info[2] = NULL;
sys/dev/pccard/pccard_cis.c:91: state.card->cis1_info[3] = NULL;
The patch enclosed checks if src is NULL and returns, making it safe.
The TDK 128MB CF displays this behavior and panics the kernel in pccard_safe_quote()
It seems to be connected to the odd CISTPL_VERS_1 which the TDK CF has: here is the
hw.pccard.debug: 1
hw.pccard.cis_debug: 1
info for the TDK and "No Name (Jinmeng)" card:
card.cis1_info[] NULL ("abnormal" case):
TDK, 128MB
ata2: <vendor=0x501 product=0x401> at port 0x4000-0x400f irq 11 function 0 config 1 on pccard0
ad4: 122MB <TDK TC M Rev 3.03> at ata2-master PIO2
========================================================
pccard0: CIS tuple chain:
CISTPL_DEVICE type=funcspec speed=ext
01 04 df 4a 01 ff
unhandled CISTPL 1c
1c 04 02 d9 01 ff
unhandled CISTPL 18
18 02 df 01
CISTPL_MANFID
20 04 01 05 01 04
CISTPL_VERS_1
15 0b 04 01 54 44 4b 20 54 43 5f 4d ff
CISTPL_FUNCID
21 02 04 01
CISTPL_FUNCE
22 02 01 01
CISTPL_FUNCE
22 03 02 0c 0f
CISTPL_CONFIG
1a 05 01 03 00 02 0f
CISTPL_CFTABLE_ENTRY
1b 08 c0 40 a1 01 55 08 00 20
CISTPL_CFTABLE_ENTRY
1b 06 00 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
1b 0a c1 41 99 01 55 64 f0 ff ff 20
CISTPL_CFTABLE_ENTRY
1b 06 01 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
1b 0f c2 41 99 01 55 ea 61 f0 01 07 f6 03 01 ee
20
CISTPL_CFTABLE_ENTRY
1b 06 02 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
1b 0f c3 41 99 01 55 ea 61 70 01 07 76 03 01 ee
20
CISTPL_CFTABLE_ENTRY
1b 06 03 01 21 b5 1e 4d
unhandled CISTPL 14
CISTPL_NO_LINK
14 00
CISTPL_END
ff
pccard0: check_cis_quirks
pccard0: CIS version PCCARD 2.0 or 2.1
pccard0: CIS info:
card.cis1_info[] not NULL ("normal" case):
Jinmemg, 128MB
ata2: <Jinmemg 128MB> at port 0x4000-0x400f irq 11 function 0 config 1 on pccard0
ad4: 123MB <Hyperstone ATA 30/06/03> at ata2-master PIO2
========================================================
pccard0: CIS tuple chain:
CISTPL_DEVICE type=funcspec speed=250ns
01 03 d9 01 ff
unhandled CISTPL 1c
1c 04 02 d9 01 ff
unhandled CISTPL 18
18 02 df 01
CISTPL_MANFID
20 04 00 00 00 00
CISTPL_FUNCID
21 02 04 01
CISTPL_FUNCE
22 02 01 01
CISTPL_FUNCE
22 03 02 04 07
CISTPL_CONFIG
1a 05 01 07 00 02 0f
CISTPL_CFTABLE_ENTRY
1b 0b c0 c0 a1 27 55 4d 5d 75 08 00 21
CISTPL_CFTABLE_ENTRY
1b 06 00 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
1b 0d c1 41 99 27 55 4d 5d 75 64 f0 ff ff 21
CISTPL_CFTABLE_ENTRY
1b 06 01 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
1b 12 c2 41 99 27 55 4d 5d 75 ea 61 f0 01 07 f6
03 01 ee 21
CISTPL_CFTABLE_ENTRY
1b 06 02 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
1b 12 c3 41 99 27 55 4d 5d 75 ea 61 70 01 07 76
03 01 ee 21
CISTPL_CFTABLE_ENTRY
1b 06 03 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
1b 04 07 00 28 d3
unhandled CISTPL 14
CISTPL_NO_LINK
14 00
CISTPL_VERS_1
15 11 04 01 4a 69 6e 6d 65 6d 67 00 31 32 38 4d
42 00 ff
CISTPL_END
ff
pccard0: check_cis_quirks
pccard0: CIS version PCCARD 2.0 or 2.1
pccard0: CIS info: Jinmemg, 128MB
PATCH:
Index: sys/dev/pccard/pccard.c
===================================================================
RCS file: /usr/cvs/src/sys/dev/pccard/pccard.c,v
retrieving revision 1.105.2.2
diff -u -r1.105.2.2 pccard.c
--- sys/dev/pccard/pccard.c 27 Sep 2005 18:42:19 -0000 1.105.2.2
+++ sys/dev/pccard/pccard.c 3 Dec 2005 07:52:39 -0000
@@ -996,7 +996,7 @@
if (len == 0)
return;
- while (walker < ep)
+ while ( (src != NULL) && (walker < ep) )
{
if (*src == '"') {
if (ep - walker < 2)
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list