[Bug 271759] [panic] [usb] [if_ure] unaligned access

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 31 May 2023 22:36:54 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271759

            Bug ID: 271759
           Summary: [panic] [usb] [if_ure] unaligned access
           Product: Base System
           Version: 13.2-STABLE
          Hardware: arm
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: arm
          Assignee: freebsd-arm@FreeBSD.org
          Reporter: freebsd@darkain.com

https://github.com/freebsd/freebsd-src/blob/main/sys/dev/usb/net/if_ure.c#LL616C1-L617C24

ure_makembuf() has the following code:

        /* uether_newbuf does this. */
        m_adj(m, ETHER_ALIGN);

based on that comment, it looks like someone copied m_adj() over because the
base usb ethernet driver has it, without really testing it or setting up the
mbuf correctly.

when m_adj is called here, m->m_len is 0 at this point so the call to m_adj()
does nothing.

because of this, the data is never shifted by 2 bytes, causing an unaligned
access to the IP headers when byte swapping later in the stack when converting
from network-order to host-order, causing a panic on 32-bit ARM systems.


NOTE: virtio-net has a similar unaligned access issue, however that driver
isn't calling m_adj() at all it looks like. This is referenced over in:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271288

-- 
You are receiving this mail because:
You are the assignee for the bug.