Re: ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads (Should it have been MFC'd?)

In reply to: Mark Millard : "RE: ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads (Should it have been MFC'd?)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mark Millard <marklmi_at_yahoo.com>
Date: Tue, 27 Dec 2022 04:21:27 UTC

On Dec 26, 2022, at 19:54, Mark Millard <marklmi@yahoo.com> wrote:

> Should the following have been MFC'd? (I ran into this while
> looking to see why I see a boot message oddity on 13.* that
> I do not see on main [so: 14]. There was a time when main
> also produced the odd messages. But I'm not  claiming that
> this is what makes the difference. The oddity was observed
> on aarch64 RPi4B's.)
> 

Never mind. I got myself confused over the history. 13.* does
not have the file at all.

> author Jessica Clarke <jrtc27@FreeBSD.org>2022-01-15 19:03:53 +0000
> committer Jessica Clarke <jrtc27@FreeBSD.org>2022-01-15 19:03:53 +0000
> commit 4e3a43905e3ff7b9fcf228022f05d636f79c4b42 (patch)
> tree b6be66e54604bb2c1fbdfde27bf8a6644e04fd05
> parent 3266a0c5d5abe8dd14de8478edec3e878e4a1c0b (diff)
> download src-4e3a43905e3ff7b9fcf228022f05d636f79c4b42.tar.gz
>          src-4e3a43905e3ff7b9fcf228022f05d636f79c4b42.zip
> 
> ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads
> 
> We do not include sys/rman.h and so machine/resource.h ends up not being included by the time pci_private.h is included. This means PCI_RES_BUS is never defined, and so the sc_bus member of pci_softc is not present when compiling ofw_pci, resulting in the wrong softc size being passed to DEFINE_CLASS_1 and thus any attempts by pci(4) to access that member are out-of-bounds reads or writes.
> 
> This is pretty fragile; arguably pci_private.h should be including sys/rman.h, but this is the minimal needed change to fix the bug whilst maintaining the status quo.
> 
> Found by: CHERI
> Reported by: andrew 
> 
> 
> Diffstat
> -rw-r--r-- sys/dev/ofw/ofw_pci.c 1
> 1 files changed, 1 insertions, 0 deletions
> 
> diff --git a/sys/dev/ofw/ofw_pci.c b/sys/dev/ofw/ofw_pci.c
> index 7f7aad379ddc..4bd6ccd64420 100644
> --- a/sys/dev/ofw/ofw_pci.c
> +++ b/sys/dev/ofw/ofw_pci.c
> @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
>  #include <sys/bus.h>
>  #include <sys/kernel.h>
>  #include <sys/module.h>
> +#include <sys/rman.h>
> 
>  #include <dev/pci/pcireg.h>
>  #include <dev/pci/pcivar.h>
> 
> 
> 
> 
> (Note: leading whitespace might not be preserved.)




===
Mark Millard
marklmi at yahoo.com