Date: Fri, 13 Aug 2010 22:49:06 GMT From: Jerome D <jerome65d@hotmail.fr> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/149636: buffer overflow in pci_device_freebsd_read_rom() called from find_bios_string() in s3v_driver.c Message-ID: <201008132249.o7DMn6C5071072@www.freebsd.org> Resent-Message-ID: <201008132250.o7DMo3Rg013546@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 149636
>Category: ports
>Synopsis: buffer overflow in pci_device_freebsd_read_rom() called from find_bios_string() in s3v_driver.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 13 22:50:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Jerome D
>Release: 8.1-RELEASE
>Organization:
>Environment:
FreeBSD jd-freebsd.jddomain 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
core dump when launching command Xorg
(BoardName "86c368 [Trio 3D/2X]")
root# Xorg -config /root/xorg.conf.new
X.Org X Server 1.7.5
Release Date: 2010-02-16
X Protocol Version 11, Revision 0
Build Operating System: FreeBSD 8.1-RELEASE i386
Current Operating System: FreeBSD jd-freebsd.jddomain 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
Build Date: 30 June 2010 02:45:04AM
Current version of pixman: 0.16.6
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Sat Aug 14 00:31:34 2010
(++) Using config file: "/root/xorg.conf.new"
Segmentation fault: 11 at address 0x286d3000
Fatal server error:
Caught signal 11 (Segmentation fault: 11). Server aborting
Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
Please also check the log file at "/var/log/Xorg.0.log" for additional information.
Abort (core dumped)
#0 0x28604a7e in memcpy () from /lib/libc.so.7
#1 0x2821f93f in pci_device_freebsd_read_rom () from /usr/local/lib/libpciaccess.so.0
#2 0x2821d234 in pci_device_read_rom () from /usr/local/lib/libpciaccess.so.0
#3 0x286cc026 in find_bios_string () from /usr/local/lib/xorg/modules/drivers/s3virge_drv.so
#4 0x286d2a40 in init.19138 () from /usr/local/lib/xorg/modules/drivers/s3virge_drv.so
#5 0x285e7f20 in time () from /lib/libc.so.7
Previous frame inner to this frame (corrupt stack?)
s3v_driver.c :
==============
static unsigned char *find_bios_string(S3VPtr ps3v, int BIOSbase, char *match1, char *match2)
{
#define BIOS_BSIZE 1024
#define BIOS_BASE 0xc0000
static unsigned char bios[BIOS_BSIZE];
..
if (pci_device_read_rom(ps3v->PciInfo, bios))
freebsd_pci.c :
===============
static int pci_device_freebsd_read_rom(struct pci_device *dev,void *buffer)
{
void *bios;
..
bios = mmap( NULL, dev->rom_size, PROT_READ, 0, memfd, 0xc0000 );
..
memcpy( buffer, bios, dev->rom_size );
I don't think that the rom size is less or equal than 1024 bytes !
>How-To-Repeat:
root# Xorg -configure
root# Xorg -config /root/xorg.conf.new
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008132249.o7DMn6C5071072>