ports/149636: buffer overflow in pci_device_freebsd_read_rom() called from find_bios_string() in s3v_driver.c

Jerome D jerome65d at hotmail.fr
Fri Aug 13 22:50:03 UTC 2010 

>Number:         149636
>Category:       ports
>Synopsis:       buffer overflow in pci_device_freebsd_read_rom()  called from find_bios_string() in s3v_driver.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 13 22:50:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Jerome D
>Release:        8.1-RELEASE
>Organization:
>Environment:
FreeBSD jd-freebsd.jddomain 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010     root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
core dump when launching command Xorg
(BoardName   "86c368 [Trio 3D/2X]")

root# Xorg -config /root/xorg.conf.new

X.Org X Server 1.7.5
Release Date: 2010-02-16
X Protocol Version 11, Revision 0
Build Operating System: FreeBSD 8.1-RELEASE i386
Current Operating System: FreeBSD jd-freebsd.jddomain 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010     root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
Build Date: 30 June 2010  02:45:04AM

Current version of pixman: 0.16.6
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Sat Aug 14 00:31:34 2010
(++) Using config file: "/root/xorg.conf.new"
Segmentation fault: 11 at address 0x286d3000

Fatal server error:
Caught signal 11 (Segmentation fault: 11). Server aborting


Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
Please also check the log file at "/var/log/Xorg.0.log" for additional information.

Abort (core dumped)


#0  0x28604a7e in memcpy () from /lib/libc.so.7
#1  0x2821f93f in pci_device_freebsd_read_rom () from /usr/local/lib/libpciaccess.so.0
#2  0x2821d234 in pci_device_read_rom () from /usr/local/lib/libpciaccess.so.0
#3  0x286cc026 in find_bios_string () from /usr/local/lib/xorg/modules/drivers/s3virge_drv.so
#4  0x286d2a40 in init.19138 () from /usr/local/lib/xorg/modules/drivers/s3virge_drv.so
#5  0x285e7f20 in time () from /lib/libc.so.7
Previous frame inner to this frame (corrupt stack?)


s3v_driver.c :
==============
static unsigned char *find_bios_string(S3VPtr ps3v, int BIOSbase, char *match1, char *match2)
{
#define BIOS_BSIZE 1024
#define BIOS_BASE  0xc0000
static unsigned char bios[BIOS_BSIZE];
..
  if (pci_device_read_rom(ps3v->PciInfo, bios))


freebsd_pci.c :
===============
static int pci_device_freebsd_read_rom(struct pci_device *dev,void *buffer)
{
void *bios;
..
bios = mmap( NULL, dev->rom_size, PROT_READ, 0, memfd, 0xc0000 );
..
memcpy( buffer, bios, dev->rom_size );

 

I don't think that the rom size is less or equal than 1024 bytes !

>How-To-Repeat:
root# Xorg -configure
root# Xorg -config /root/xorg.conf.new

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list