Summary: | Out of bounds negative array index in iicrdwr | ||
---|---|---|---|
Product: | Base System | Reporter: | CTurt <ecturt> |
Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | CC: | emaste, gonzo, mmokhi, ngie, op |
Priority: | --- | Keywords: | patch, patch-ready, security |
Version: | CURRENT | Flags: | mmokhi:
mfc-stable10?
mmokhi: mfc-stable9? |
Hardware: | Any | ||
OS: | Any | ||
URL: | https://reviews.freebsd.org/D5132 | ||
See Also: | https://reviews.freebsd.org/D5155 |
Description
CTurt
2016-01-30 09:33:55 UTC
Potential patch is to change the type of `i` from `int` to `uint32_t` to match that of `d->nmsgs`: https://github.com/HardenedBSD/hardenedBSD-playground/commit/4cf6de4b16eda71c4ae3cbec24cf6ef054351b7b.patch However, some bound checks might be a cleaner solution. Ive made patch based on CTurt's for this and issue#206755 waiting to be reviewed and approved. A commit references this bug: Author: ngie Date: Sat Jan 30 18:33:24 UTC 2016 New revision: 295080 URL: https://svnweb.freebsd.org/changeset/base/295080 Log: Use the correct type for i when iterating over `buf` to avoid unlikely negative array indexing in iicrdwr(..) Differential Revision: https://reviews.freebsd.org/D5132 Obtained from: HardenedBSD PR: 206754 Reported by: CTurt <cturt@hardenedbsd.org> Submitted by: Madhi Moktari <mokhi64@gmail.com> Sponsored by: EMC / Isilon Storage Division Changes: head/sys/dev/iicbus/iic.c Thanks for the submission! Will work on MFCing back to stable/10 and stable/9 as needed. (In reply to Ngie Cooper from comment #4) @Ngie: will it be MFC'ed ? (In reply to Mahdi Mokhtari from comment #5) This item hasn't been MFCed yet due to other QA issues with the module. Will open another bug with more info. (In reply to Ngie Cooper from comment #6) Okay. Thanks for assigning it to yourself :) Then, please make this issue depend to that one you'll create. Untaking bug -- I don't have the hardware to test out this component and this driver has other architectural issues that I don't want to get stuck dealing with. The fix was committed as base r300258. Closing as Fixed |