kern/170003: [ichsmb] buffer overflow during block read

Mark Johnston markjdb at gmail.com
Thu Jul 19 19:20:14 UTC 2012


>Number:         170003
>Category:       kern
>Synopsis:       [ichsmb] buffer overflow during block read
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 19 19:20:13 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Mark Johnston
>Release:        CURRENT
>Organization:
Sandvine Inc.
>Environment:
FreeBSD oddish 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r237931+09aeb19-dirty: Sun Jul  1 13:10:47 EDT 2012     mark at oddish:/home/mark/src/obj/usr/home/mark/src/freebsd/sys/GENERIC  amd64
>Description:
ichsmb(4) uses a 32-byte buffer in the softc to hold the bytes received from a block read command. When such a command is issued, the hardware is supposed to fill out the host data 0 register with the number of bytes to be returned. Some devices return more than 32 bytes for some reason, causing ichsmb to clobber parts of its softc. In my case, the mutex gets overwritten, leading to a panic during execution of the next smbus command.
>How-To-Repeat:
It may not be reproducible depending on the devices available on the bus. Try running the program here: http://www.student.cs.uwaterloo.ca/~m6johnst/smbbread.c
>Fix:
Attached patch.

Patch attached with submission follows:

diff --git a/sys/dev/ichsmb/ichsmb.c b/sys/dev/ichsmb/ichsmb.c
index 5ff54db..ac4d191 100644
--- a/sys/dev/ichsmb/ichsmb.c
+++ b/sys/dev/ichsmb/ichsmb.c
@@ -575,8 +575,9 @@ ichsmb_device_intr(void *cookie)
 
 				/* First interrupt, get the count also */
 				if (sc->block_index == 0) {
-					sc->block_count = bus_read_1(
-					    sc->io_res, ICH_D0);
+					sc->block_count = min(
+					    bus_read_1(sc->io_res, ICH_D0),
+					    sizeof(sc->block_data));
 				}
 
 				/* Get next byte, if any */


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list