Bug 30857

Summary: [intr] [patch] intr_machdep.c allows access out of array bound
Product: Base System Reporter: davidx <davidx>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description davidx 2001-09-27 02:40:00 UTC 
in source file /sys/i386/isa/intr_machdep.c, function icu_setup
does not detect array bound correctly, allow access out of bound data.

Fix: patch is here:
Comment 1 Bruce Evans 2001-09-27 06:55:24 UTC 
On Wed, 26 Sep 2001, David Xu wrote:

> >Description:
> in source file /sys/i386/isa/intr_machdep.c, function icu_setup
> does not detect array bound correctly, allow access out of bound data.
> >How-To-Repeat:
>
> >Fix:
> patch is here:
> --- intr_machdep.c.orig	Thu Sep 27 09:03:29 2001
> +++ intr_machdep.c	Thu Sep 27 09:04:11 2001
> @@ -433,6 +433,7 @@
>  #else
>  	if ((u_int)intr >= ICU_LEN || intr == ICU_SLAVEID)
>  #endif /* APIC_IO */
> +		return (EINVAL);

These bytes rotted away when register_intr() was mutated to icu_setup() in
rev.1.85 if sys/i386/isa/isa.c.

>  	if (intr_handler[intr] != isa_strayintr)
>  		return (EBUSY);

Bruce
Comment 2 Colin Percival freebsd_committer freebsd_triage 2004-02-17 17:48:51 UTC 
State Changed
From-To: open->closed

Fixed by jlemon by Sept 2001.
Comment 3 Colin Percival freebsd_committer freebsd_triage 2004-02-18 03:39:53 UTC 
State Changed
From-To: closed->patched

Sorry, I wasn't paying attention.  This still needs to be 
fixed in RELENG_4.
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2007-06-10 07:17:21 UTC 
State Changed
From-To: patched->closed

RELENG_4 is now out of support, so this PR is obsolete.