From owner-svn-src-head@freebsd.org  Wed Aug 24 20:11:53 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 711E8BC5B98;
 Wed, 24 Aug 2016 20:11:53 +0000 (UTC)
 (envelope-from landon@landonf.org)
Received: from smtp.office.plausible.coop
 (static-108-51-93-21.washdc.fios.verizon.net [108.51.93.21])
 by mx1.freebsd.org (Postfix) with ESMTP id 53F9612FD;
 Wed, 24 Aug 2016 20:11:52 +0000 (UTC)
 (envelope-from landon@landonf.org)
Received: from [192.168.10.185] (c-71-196-138-4.hsd1.co.comcast.net
 [71.196.138.4])
 by smtp.office.plausible.coop (Postfix) with ESMTPSA id AA97050801E;
 Wed, 24 Aug 2016 13:03:18 -0700 (PDT)
Date: Wed, 24 Aug 2016 14:05:40 -0600
From: Landon J Fuller <landonf@freebsd.org>
Subject: Re: svn commit: r304692 - head/sys/dev/bhnd/bhndb
To: Shawn Webb <shawn.webb@hardenedbsd.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Message-Id: <1472069140.8740.0@smtp.office.plausible.coop>
In-Reply-To: <20160824120957.GA74786@mutt-hardenedbsd>
References: <201608231903.u7NJ3Bjc019151@repo.freebsd.org>
 <20160824120957.GA74786@mutt-hardenedbsd>
X-Mailer: geary/0.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2016 20:11:53 -0000

On Wed, Aug 24, 2016 at 6:09 AM, Shawn Webb 
<shawn.webb@hardenedbsd.org> wrote:
> On Tue, Aug 23, 2016 at 07:03:11PM +0000, Landon J. Fuller wrote:
>>  Author: landonf
>>  Date: Tue Aug 23 19:03:11 2016
>>  New Revision: 304692
>>  URL: https://svnweb.freebsd.org/changeset/base/304692
>> 
>>  Log:
>>    bhndb(4): Fix unsigned integer underflow in dynamic register 
>> window
>>    handling. This resulted in the window target being left 
>> uninitialized
>>    when an underflow occured.
> 
> Is this remotely exploitable? What are the ramifications of this bug?

As Michael noted, the WIP code isn't actively used anywhere, but if it 
were: The target address of a PCI BAR mapping into SoC address space 
could be left uninitialized, leading to a bhnd(4) bus driver 
reading/writing to whatever SoC physical address range the window 
happened to be pointing to -- most likely unmapped memory.

It's very unlikely that full driver attach and network interface 
bring-up would succeed.

-landonf