https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206755
Bug ID: 206755
Summary: Use of initialised stack variables in
tdfx_query_update
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ct...@hardenedbsd.org
`tdfx_query_update` in `sys/dev/tdfx/tdfx_pci.c` doesn't check the result of
`copyin` calls:
static int
tdfx_query_update(u_int cmd, struct tdfx_pio_data *piod)
{
/* XXX Comment this later, after careful inspection and spring cleaning
:) */
/* Return vals */
u_int8_t ret_byte;
u_int16_t ret_word;
u_int32_t ret_dword;
...
switch (piod->size) {
case 1:
copyin(piod->value, &ret_byte, 1);
preval = ret_byte << (8 * (piod->port & 0x3));
mask = 0xff << (8 * (piod->port & 0x3));
break;
case 2:
copyin(piod->value, &ret_word, 2);
preval = ret_word << (8 * (piod->port & 0x3));
mask = 0xffff << (8 * (piod->port & 0x3));
break;
case 4:
copyin(piod->value, &ret_dword, 4);
preval = ret_dword;
mask = ~0;
break;
default:
return -EINVAL;
}
/* Finally, combine the values and write it to the port */
retval = (retval & ~mask) | preval;
pci_write_config(tdfx_info->dev, piod->port & ~3, retval, 4);
If the user supplies a bad pointer, so that the `copyin` calls fail,
`pci_write_config` will be passed an uninitialised stack value.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
