From nobody Tue Dec 27 03:54:57 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nh15K5m0Pz1LgFn for ; Tue, 27 Dec 2022 03:55:17 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic301-20.consmr.mail.gq1.yahoo.com (sonic301-20.consmr.mail.gq1.yahoo.com [98.137.64.146]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nh15J3DDZz3nf3 for ; Tue, 27 Dec 2022 03:55:16 +0000 (UTC) (envelope-from marklmi@yahoo.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yahoo.com header.s=s2048 header.b=LvWYnPSm; spf=pass (mx1.freebsd.org: domain of marklmi@yahoo.com designates 98.137.64.146 as permitted sender) smtp.mailfrom=marklmi@yahoo.com; dmarc=pass (policy=reject) header.from=yahoo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1672113313; bh=AV4sxJW03eL3GuLcaC48+nZD6+5ZD+LP7e5lJP5YRdU=; h=From:Subject:Date:Cc:To:References:From:Subject:Reply-To; b=LvWYnPSmEpCwqZzvGN/MhfLlbDOtnlNRso5DOnKPV44ie2CcXLuviuVOSLfAhpBs6YL/LK0xFROpx/wBnZ9fJsZ09CPZ3Jr/+2uAsVE3DnOLGMR9dj9TABXorJsfcjOTGt+zx0yjxhTo6PMQxKwAESBbpxE74Z5zKqex5W7LvI62acFhwfnVMhQMaB9xhlHhTxtKXTcC2K0rAQpRPthQ3aEzaRH0vYdOQg0J44Kz4YAYJeNGcsrWjvrOLyCcrU+O5TzDHDbMenX5dPXi8OgU86dxTfPXvO4bb5o7mYmw0A/aNk4xYNn7Lmo6CKjF4CUZwcOZTJIBjYpj1KbSA9HIGg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1672113313; bh=H+H3u6TdLkUKTRYKTGSQZqu53t15TpQoYy8zfMxJDay=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=KeocbQvY+gN899DxZ5mWvNwuhicDa3sEnvnhPTEr9gzlqC1lglZZ8ZoP5Kzy3qI8+XypgVL/rYQbL3ylARksrGsRamSQh5/g84yfMqDsQqcXSKeLGmsXRo0pxcKbsrztDaVmmUObB/l/1bQSZ0uEowfSw70AHGsUzDhJ/Dscc+13azC9E3Wj6rSMP78OP2NKccMA2QJJ6aSzHurKepcDiU4GX7JrXe5NfFGWKp2JEpuRv1AmGT4alkZJWpKj2K6hZBGhiSQBP8MZ8wxCnA/d9/X12fs7jK5HuKB62e2fVtdxZx0dusol60kkf4gNQqNprkEVMJlkxlH3G+CrwOB6lA== X-YMail-OSG: H21SoT4VM1mO1rXFmij8Ua_xG6ibk.mDo6uD8W9lzc3AdB.eHebP9vV2K.yY5fC V6XUObX5nV514NViq6smZ0aigjD05xulZfWAwxWy84xhK6uXumTZOOoxLvawYoYHQnR0w05X2Aza jt_bMYnFu82Uw2bextknGR4sAHEI.QE8Ree6P85i1tZTGnq35YSLZKNVBvFxQ7a86g.SoeneVsK7 TkchjRrcMRmFqnPsJxaRsi32dzqxUCLmRQawvYlFqhmXFAWsE7bkAHtjRZDkbdwcFQ50VsQLPTDY a305fwBP8VLxh8BNAAhVEvxaGcx3j4LvewQuwJgvJucErG6zVWSqgs19odC04yurXe3dwIYtMIq9 KoaOnU00w5m1y5jLtyRwgJxIdGSef7AFbpocnL11cJzwiL7VndeU.5I6v9cG27ytRBCznAdm3IiM hPbPNJ4e0C5EI4tixkWZG_ZCpOiu8VLJNG.mHxMxArrOdtM9bdkln5mEr2aEsx69tI3z1m_ygEmF i7Ju9zyvkdu1d5ewjlAVTFdUurIkav6YtfzMoI7HS_VgMO1rt3VlpLglQ8j_af247IRu.OEjuCdz obDFBJDXFyaIep8ZA_WaE76ahuriWVS4HBpVsvcHZ95jhT6HbZ5kTwN4UAcjdp5lbnagB9aWpsJ8 Tm6HUjNz_fNRxi2nGbApJOb49EjsS0wAXiTXfCyHTHX40_vjVM5z1KnKUrpWptAvvTmfStlAFm42 JhlacDPRZlM0eehlyKlfKksXYlYjgP8.s0sOOeZVHv9LiEo3m4VgK33y9_m4eGi5Q8ZGllJEQfz5 Qd3XxgJfKAJHX9IJw3bh9mPgyNLWBuyj2cgBFjaTLecKushJA3yXCvJPTVJjh2nW9gXOLaf4iR.. AjTbsJuJ5vmsXkRUo0DyUfHJJHGgMtH_AP3.9.1Kh9ewpfSX7DcuY9vdHNZ.IOI38ei4FRFpXaed qKmVAlntNWaswWdspOiQN8NObJrIBWeoAi83L2QwGtbCrluaREcy5RsBjnRnyfDkYs0VbYtHPgHU VBxG_AiKF._Eqx7kCP_1yItjpIcSpvpUAmaLNQBQ_rtTPDwmDx4xFsG82QAymDc0u6XxowoB2dyB oLDc1MfkYOTBoXB1I01K2cZ_F8zYvwGd_b7TZrecmZOzDQ9v6lRPhbMrvA4NNdy0Qt1DypFhCiw0 jOJl4D1qOREyWqyiMHSEZPC2WmctCVUw3MFnG8YSMFDs0DyqHzngVMgYYNq3DPuPBlJyNqTLMgrv sDXNGhhmPpHrncjg7nXujsFY12YDNq.Erg0vTqqihtN1dMH8kotZ9.KxLcyIL1sJnE57_dlmjfiF B3ZK3VQ58EgLMuR20WJo6S346vRBMsYY8Fqjo_hoDeDPGYEsvjfzBIaXx4mRjjkFXg.iGmm5J_eL BC757hKcOJfLJMlywdUgWIZqqlm5G7tIHJdwIBBmfalsOYoIoLYQbLmDTY8oEnyRwHPZi2AmUuVe qOPzXzyI2UEDWstPXbTwKmGwOnA6N9atWSU1N1f2CNK.U_vUvz.OAexeGljWSEZiesc6lEV54vnX iYbih1UKkWQrqGm96Yc8BuT6JYMHTuY5y1079McgvNIF9qhpvvpYp9xmniFIfm7asGSGuRpbspdB 1IPpVcpUh8SuWXiUbE.1KFC.0Q8EShiGdgSgAXGW1eORQSk3IbaO9.IcokgGwJv37Ji7S1fNkFW7 AemtqyiwjlG6WEyB.pJf4hbiZB4dltC4DDWfFGJX6ZA8XGxrxJCji0byCte6pdDSJf1XjgBbyJdd uCflGjMEsgoPxug4aZE69qzf71znBh9mzUp.JoR3vZ9uC_skdi_fqmm7sMVLSYilI7hj49phht6. 6AMK73b.D8oKuVmDssDzrwsL4O4EGvwk9cCv18ETD9Sjd85HJmM0XScF1P5wpXDTuVakAo81IjZK 7nZbXprScqiqKpu5R1es3WNF._4Uwo9GtKUJVuw7_PYcwok0dv1UmsBbaHrehs.UJ6AOxjEyRrp_ XsnhV2A0fZCAe0rAfeI91izIvlFMhovcYqvD.q967VX.3GnbYNmpiLQjWEOxFM_ZFepb0FgrFYy8 N2aTES_SDeFJaDPmU9fz_HL06ogm9hUf2noiFIEFQLl7CCrLpjbRuOmFSAWsZqcCAKwDcwcmvhJZ 8r2C1YK_bvpaSP7_ZRaleWHGJ63slq99eKmlao9PPT5dBZr7iwcJkjBHYZ8..BP48skh0OKB.EGE OLBYx3DD62PNKjAqsjxyg7LUJJIAHRSHM4H_8LaIZ0Qcbd26zesISqvSaaxsG5iCXcNFk3SsXdrZ niVIcCh_XsQ-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.gq1.yahoo.com with HTTP; Tue, 27 Dec 2022 03:55:13 +0000 Received: by hermes--production-bf1-5458f64d4-kkg2s (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b27c0c01835962e0954ab5edfe5b1dcb; Tue, 27 Dec 2022 03:55:10 +0000 (UTC) From: Mark Millard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\)) Subject: RE: ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads (Should it have been MFC'd?) Message-Id: Date: Mon, 26 Dec 2022 19:54:57 -0800 Cc: freebsd-arm To: "jrtc27@freebsd.org" , freebsd-current , FreeBSD-STABLE Mailing List X-Mailer: Apple Mail (2.3731.300.101.1.3) References: X-Spamd-Result: default: False [-3.49 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.993]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim]; RCVD_IN_DNSWL_NONE(0.00)[98.137.64.146:from]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; FREEMAIL_FROM(0.00)[yahoo.com]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; MIME_TRACE(0.00)[0:+]; RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.64.146:from] X-Rspamd-Queue-Id: 4Nh15J3DDZz3nf3 X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Should the following have been MFC'd? (I ran into this while looking to see why I see a boot message oddity on 13.* that I do not see on main [so: 14]. There was a time when main also produced the odd messages. But I'm not claiming that this is what makes the difference. The oddity was observed on aarch64 RPi4B's.) author Jessica Clarke 2022-01-15 19:03:53 +0000 committer Jessica Clarke 2022-01-15 19:03:53 +0000 commit 4e3a43905e3ff7b9fcf228022f05d636f79c4b42 (patch) tree b6be66e54604bb2c1fbdfde27bf8a6644e04fd05 parent 3266a0c5d5abe8dd14de8478edec3e878e4a1c0b (diff) download src-4e3a43905e3ff7b9fcf228022f05d636f79c4b42.tar.gz src-4e3a43905e3ff7b9fcf228022f05d636f79c4b42.zip ofw_pci: Fix incorrectly sized softc causing pci(4) out-of-bounds reads We do not include sys/rman.h and so machine/resource.h ends up not being = included by the time pci_private.h is included. This means PCI_RES_BUS = is never defined, and so the sc_bus member of pci_softc is not present = when compiling ofw_pci, resulting in the wrong softc size being passed = to DEFINE_CLASS_1 and thus any attempts by pci(4) to access that member = are out-of-bounds reads or writes. This is pretty fragile; arguably pci_private.h should be including = sys/rman.h, but this is the minimal needed change to fix the bug whilst = maintaining the status quo. Found by: CHERI Reported by: andrew=20 Diffstat -rw-r--r-- sys/dev/ofw/ofw_pci.c 1 1 files changed, 1 insertions, 0 deletions diff --git a/sys/dev/ofw/ofw_pci.c b/sys/dev/ofw/ofw_pci.c index 7f7aad379ddc..4bd6ccd64420 100644 --- a/sys/dev/ofw/ofw_pci.c +++ b/sys/dev/ofw/ofw_pci.c @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include =20 #include #include (Note: leading whitespace might not be preserved.) =3D=3D=3D Mark Millard marklmi at yahoo.com