Bug 207037 - ixv driver uses uninitialized offset variable and writes into arbitrary pci config register
Summary: ixv driver uses uninitialized offset variable and writes into arbitrary pci c...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-net (Nobody)
Keywords: IntelNetworking, patch
Depends on:
Reported: 2016-02-08 23:13 UTC by Jeremiah
Modified: 2016-02-09 01:31 UTC (History)
1 user (show)

See Also:

Patch to illustrate the problem (805 bytes, patch)
2016-02-08 23:13 UTC, Jeremiah
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremiah 2016-02-08 23:13:03 UTC
Created attachment 166768 [details]
Patch to illustrate the problem

In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(dev, PCIY_MSIX, &rid). It is not checking the return code from that function and the function appears to always be failing. This then causes the driver to use the rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, but it could easily cause very subtle problems. Also the QEMU workaround is probably non-functional because of this.

I've attached a patch for a partial solution that checks the error code and skips PCI write if it fails. This avoid the erroneous PCI accesses, but it would be better if we could figure out why finding the capability is failing (I have not debugged it that far).