From owner-svn-src-all@freebsd.org Wed Aug 24 20:11:53 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 711E8BC5B98; Wed, 24 Aug 2016 20:11:53 +0000 (UTC) (envelope-from landon@landonf.org) Received: from smtp.office.plausible.coop (static-108-51-93-21.washdc.fios.verizon.net [108.51.93.21]) by mx1.freebsd.org (Postfix) with ESMTP id 53F9612FD; Wed, 24 Aug 2016 20:11:52 +0000 (UTC) (envelope-from landon@landonf.org) Received: from [192.168.10.185] (c-71-196-138-4.hsd1.co.comcast.net [71.196.138.4]) by smtp.office.plausible.coop (Postfix) with ESMTPSA id AA97050801E; Wed, 24 Aug 2016 13:03:18 -0700 (PDT) Date: Wed, 24 Aug 2016 14:05:40 -0600 From: Landon J Fuller Subject: Re: svn commit: r304692 - head/sys/dev/bhnd/bhndb To: Shawn Webb Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-Id: <1472069140.8740.0@smtp.office.plausible.coop> In-Reply-To: <20160824120957.GA74786@mutt-hardenedbsd> References: <201608231903.u7NJ3Bjc019151@repo.freebsd.org> <20160824120957.GA74786@mutt-hardenedbsd> X-Mailer: geary/0.10.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 20:11:53 -0000 On Wed, Aug 24, 2016 at 6:09 AM, Shawn Webb wrote: > On Tue, Aug 23, 2016 at 07:03:11PM +0000, Landon J. Fuller wrote: >> Author: landonf >> Date: Tue Aug 23 19:03:11 2016 >> New Revision: 304692 >> URL: https://svnweb.freebsd.org/changeset/base/304692 >> >> Log: >> bhndb(4): Fix unsigned integer underflow in dynamic register >> window >> handling. This resulted in the window target being left >> uninitialized >> when an underflow occured. > > Is this remotely exploitable? What are the ramifications of this bug? As Michael noted, the WIP code isn't actively used anywhere, but if it were: The target address of a PCI BAR mapping into SoC address space could be left uninitialized, leading to a bhnd(4) bus driver reading/writing to whatever SoC physical address range the window happened to be pointing to -- most likely unmapped memory. It's very unlikely that full driver attach and network interface bring-up would succeed. -landonf