From owner-svn-src-head@freebsd.org Sun Jul 10 00:08:42 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C298B857B4; Sun, 10 Jul 2016 00:08:42 +0000 (UTC) (envelope-from landonf@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E2B661691; Sun, 10 Jul 2016 00:08:41 +0000 (UTC) (envelope-from landonf@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u6A08fYs069172; Sun, 10 Jul 2016 00:08:41 GMT (envelope-from landonf@FreeBSD.org) Received: (from landonf@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u6A08fWA069171; Sun, 10 Jul 2016 00:08:41 GMT (envelope-from landonf@FreeBSD.org) Message-Id: <201607100008.u6A08fWA069171@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: landonf set sender to landonf@FreeBSD.org using -f From: "Landon J. Fuller" Date: Sun, 10 Jul 2016 00:08:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r302509 - head/sys/dev/bhnd/nvram X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 00:08:42 -0000 Author: landonf Date: Sun Jul 10 00:08:40 2016 New Revision: 302509 URL: https://svnweb.freebsd.org/changeset/base/302509 Log: Fix heap overflow in bhnd(4) SPROM parsing. The bus_region_* APIs accept the number of data items to be read, while the code was passing the total number of bytes, resulting in an overflow of the SPROM parser's buffer. Approved by: adrian (mentor) Differential Revision: https://reviews.freebsd.org/D7168 Modified: head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Modified: head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c ============================================================================== --- head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sat Jul 9 23:22:44 2016 (r302508) +++ head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sun Jul 10 00:08:40 2016 (r302509) @@ -523,7 +523,8 @@ sprom_direct_read(struct bhnd_sprom *sc, p = (uint16_t *)buf; res_offset = sc->sp_res_off + offset; - bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, nbytes); + bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, + (nbytes / sizeof(uint16_t))); *crc = bhnd_nvram_crc8(p, nbytes, *crc); return (0);