Date: Wed, 24 Aug 2016 14:05:40 -0600 From: Landon J Fuller <landonf@freebsd.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r304692 - head/sys/dev/bhnd/bhndb Message-ID: <1472069140.8740.0@smtp.office.plausible.coop> In-Reply-To: <20160824120957.GA74786@mutt-hardenedbsd> References: <201608231903.u7NJ3Bjc019151@repo.freebsd.org> <20160824120957.GA74786@mutt-hardenedbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 24, 2016 at 6:09 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > On Tue, Aug 23, 2016 at 07:03:11PM +0000, Landon J. Fuller wrote: >> Author: landonf >> Date: Tue Aug 23 19:03:11 2016 >> New Revision: 304692 >> URL: https://svnweb.freebsd.org/changeset/base/304692 >> >> Log: >> bhndb(4): Fix unsigned integer underflow in dynamic register >> window >> handling. This resulted in the window target being left >> uninitialized >> when an underflow occured. > > Is this remotely exploitable? What are the ramifications of this bug? As Michael noted, the WIP code isn't actively used anywhere, but if it were: The target address of a PCI BAR mapping into SoC address space could be left uninitialized, leading to a bhnd(4) bus driver reading/writing to whatever SoC physical address range the window happened to be pointing to -- most likely unmapped memory. It's very unlikely that full driver attach and network interface bring-up would succeed. -landonf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1472069140.8740.0>