svn commit: r304692 - head/sys/dev/bhnd/bhndb
Landon J Fuller
landonf at freebsd.org
Wed Aug 24 20:11:53 UTC 2016
On Wed, Aug 24, 2016 at 6:09 AM, Shawn Webb
<shawn.webb at hardenedbsd.org> wrote:
> On Tue, Aug 23, 2016 at 07:03:11PM +0000, Landon J. Fuller wrote:
>> Author: landonf
>> Date: Tue Aug 23 19:03:11 2016
>> New Revision: 304692
>> URL: https://svnweb.freebsd.org/changeset/base/304692
>>
>> Log:
>> bhndb(4): Fix unsigned integer underflow in dynamic register
>> window
>> handling. This resulted in the window target being left
>> uninitialized
>> when an underflow occured.
>
> Is this remotely exploitable? What are the ramifications of this bug?
As Michael noted, the WIP code isn't actively used anywhere, but if it
were: The target address of a PCI BAR mapping into SoC address space
could be left uninitialized, leading to a bhnd(4) bus driver
reading/writing to whatever SoC physical address range the window
happened to be pointing to -- most likely unmapped memory.
It's very unlikely that full driver attach and network interface
bring-up would succeed.
-landonf
More information about the svn-src-head
mailing list