git: 4e3a43905e3f - main - ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 15 Jan 2022 19:13:13 UTC
The branch main has been updated by jrtc27:
URL: https://cgit.FreeBSD.org/src/commit/?id=4e3a43905e3ff7b9fcf228022f05d636f79c4b42
commit 4e3a43905e3ff7b9fcf228022f05d636f79c4b42
Author: Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2022-01-15 19:03:53 +0000
Commit: Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2022-01-15 19:03:53 +0000
ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads
We do not include sys/rman.h and so machine/resource.h ends up not being
included by the time pci_private.h is included. This means PCI_RES_BUS
is never defined, and so the sc_bus member of pci_softc is not present
when compiling ofw_pci, resulting in the wrong softc size being passed
to DEFINE_CLASS_1 and thus any attempts by pci(4) to access that member
are out-of-bounds reads or writes.
This is pretty fragile; arguably pci_private.h should be including
sys/rman.h, but this is the minimal needed change to fix the bug whilst
maintaining the status quo.
Found by: CHERI
Reported by: andrew
---
sys/dev/ofw/ofw_pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/dev/ofw/ofw_pci.c b/sys/dev/ofw/ofw_pci.c
index 7f7aad379ddc..4bd6ccd64420 100644
--- a/sys/dev/ofw/ofw_pci.c
+++ b/sys/dev/ofw/ofw_pci.c
@@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
#include <sys/bus.h>
#include <sys/kernel.h>
#include <sys/module.h>
+#include <sys/rman.h>
#include <dev/pci/pcireg.h>
#include <dev/pci/pcivar.h>