Bug 206755

Summary:	Use of initialised stack variables in tdfx_query_update
Product:	Base System	Reporter:	CTurt <ecturt>
Component:	kern	Assignee:	Mahdi Mokhtari <mmokhi>
Status:	Closed Overcome By Events
Severity:	Affects Only Me	CC:	emaste, op, secteam, shawn.webb
Priority:	---	Keywords:	patch
Version:	CURRENT
Hardware:	Any
OS:	Any
URL:	https://reviews.freebsd.org/D5132

Description CTurt 2016-01-30 09:53:38 UTC

`tdfx_query_update` in `sys/dev/tdfx/tdfx_pci.c` doesn't check the result of `copyin` calls:

static int
tdfx_query_update(u_int cmd, struct tdfx_pio_data *piod)
{
	/* XXX Comment this later, after careful inspection and spring cleaning :) */
	/* Return vals */
	u_int8_t  ret_byte;
	u_int16_t ret_word;
	u_int32_t ret_dword;
	
	...
	
	switch (piod->size) {
		case 1:
			copyin(piod->value, &ret_byte, 1);
			preval = ret_byte << (8 * (piod->port & 0x3));
			mask = 0xff << (8 * (piod->port & 0x3));
			break;
		case 2:
			copyin(piod->value, &ret_word, 2);
			preval = ret_word << (8 * (piod->port & 0x3));
			mask = 0xffff << (8 * (piod->port & 0x3));
			break;
		case 4:
			copyin(piod->value, &ret_dword, 4);
			preval = ret_dword;
			mask = ~0;
			break;
		default:
			return -EINVAL;
	}
	/* Finally, combine the values and write it to the port */
	retval = (retval & ~mask) | preval;
	pci_write_config(tdfx_info->dev, piod->port & ~3, retval, 4);

If the user supplies a bad pointer, so that the `copyin` calls fail, `pci_write_config` will be passed an uninitialised stack value.

Comment 1 CTurt 2016-01-30 09:59:00 UTC

Patch: https://github.com/HardenedBSD/hardenedBSD-playground/commit/e6beb7b2374ec4eb98e503890c4b38cda51a1844.patch

Comment 2 CTurt 2016-01-30 10:06:12 UTC

Missed one of the `copyin` calls in my original patch, an additional one is needed as well: https://github.com/HardenedBSD/hardenedBSD-playground/commit/ccf98fe9312539aca1154a9462d611d8fdc4f5fa.patch

Comment 3 Shawn Webb 2016-03-01 20:59:43 UTC

Any movement on this?

Comment 4 Mahdi Mokhtari freebsd_committer

2016-03-02 11:09:11 UTC

(In reply to Shawn Webb from comment #3)
patch submitted and committed AFAIK :D

Comment 5 Shawn Webb 2016-03-02 12:59:41 UTC

(In reply to Mahdi Mokhtari from comment #4)

Seems like it's still uncommitted. The patch on Phabricator is still marked as open.

Comment 6 Mahdi Mokhtari freebsd_committer

2016-03-02 13:19:04 UTC

(In reply to Shawn Webb from comment #5)
@Shawn: i see it's committed on source.
Try to update your local src tree (if you have one).
maybe we should close that review on Phabricator, or contact committer to do that.

Comment 7 Eitan Adler freebsd_committer

2018-05-23 10:27:41 UTC

batch change of PRs untouched in 2018 marked "in progress" back to open.

Comment 8 Mark Linimon freebsd_committer

2024-01-07 12:07:20 UTC

^Triage: apparently committed long ago.