From owner-freebsd-bugs@FreeBSD.ORG  Thu Jul 19 19:20:14 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 309571065674
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Jul 2012 19:20:14 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id E49648FC19
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Jul 2012 19:20:13 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6JJKDfu098819
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 19 Jul 2012 19:20:13 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6JJKDFs098818;
	Thu, 19 Jul 2012 19:20:13 GMT (envelope-from gnats)
Resent-Date: Thu, 19 Jul 2012 19:20:13 GMT
Resent-Message-Id: <201207191920.q6JJKDFs098818@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Mark Johnston <markjdb@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B6A911065675
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 19 Jul 2012 19:15:12 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id A16D88FC1C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 19 Jul 2012 19:15:12 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6JJF6kc023835
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 Jul 2012 19:15:06 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q6JJF6AN023826;
	Thu, 19 Jul 2012 19:15:06 GMT (envelope-from nobody)
Message-Id: <201207191915.q6JJF6AN023826@red.freebsd.org>
Date: Thu, 19 Jul 2012 19:15:06 GMT
From: Mark Johnston <markjdb@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/170003: [ichsmb] buffer overflow during block read
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 19:20:14 -0000


>Number:         170003
>Category:       kern
>Synopsis:       [ichsmb] buffer overflow during block read
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 19 19:20:13 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Mark Johnston
>Release:        CURRENT
>Organization:
Sandvine Inc.
>Environment:
FreeBSD oddish 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r237931+09aeb19-dirty: Sun Jul  1 13:10:47 EDT 2012     mark@oddish:/home/mark/src/obj/usr/home/mark/src/freebsd/sys/GENERIC  amd64
>Description:
ichsmb(4) uses a 32-byte buffer in the softc to hold the bytes received from a block read command. When such a command is issued, the hardware is supposed to fill out the host data 0 register with the number of bytes to be returned. Some devices return more than 32 bytes for some reason, causing ichsmb to clobber parts of its softc. In my case, the mutex gets overwritten, leading to a panic during execution of the next smbus command.
>How-To-Repeat:
It may not be reproducible depending on the devices available on the bus. Try running the program here: http://www.student.cs.uwaterloo.ca/~m6johnst/smbbread.c
>Fix:
Attached patch.

Patch attached with submission follows:

diff --git a/sys/dev/ichsmb/ichsmb.c b/sys/dev/ichsmb/ichsmb.c
index 5ff54db..ac4d191 100644
--- a/sys/dev/ichsmb/ichsmb.c
+++ b/sys/dev/ichsmb/ichsmb.c
@@ -575,8 +575,9 @@ ichsmb_device_intr(void *cookie)
 
 				/* First interrupt, get the count also */
 				if (sc->block_index == 0) {
-					sc->block_count = bus_read_1(
-					    sc->io_res, ICH_D0);
+					sc->block_count = min(
+					    bus_read_1(sc->io_res, ICH_D0),
+					    sizeof(sc->block_data));
 				}
 
 				/* Get next byte, if any */


>Release-Note:
>Audit-Trail:
>Unformatted: