From owner-freebsd-new-bus@FreeBSD.ORG  Fri Nov  6 15:52:08 2009
Return-Path: <owner-freebsd-new-bus@FreeBSD.ORG>
Delivered-To: freebsd-new-bus@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A7D921065670
	for <freebsd-new-bus@freebsd.org>; Fri,  6 Nov 2009 15:52:08 +0000 (UTC)
	(envelope-from asmrookie@gmail.com)
Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com
	[209.85.218.213])
	by mx1.freebsd.org (Postfix) with ESMTP id 3625E8FC19
	for <freebsd-new-bus@freebsd.org>; Fri,  6 Nov 2009 15:52:07 +0000 (UTC)
Received: by bwz5 with SMTP id 5so1328479bwz.3
	for <freebsd-new-bus@freebsd.org>; Fri, 06 Nov 2009 07:52:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:sender:received:date
	:x-google-sender-auth:message-id:subject:from:to:content-type;
	bh=GlyZ0FVtfLCaSi157jeps3pgNF4pluqSjH3+xhAsZ1g=;
	b=Ov3p/qn1SCr9inmuLeUJaFJM5TXfOnfgFpkn+1QwfGXIqdK7EEwwMNuuGPscWtm3nf
	fnsEvXyZFEyzceVzTbNieZjJrG8mEkWSUZR1lYPjyJ8RBbW4Vas224loX+lfS/Sg0pIX
	DNdySC2POkjX5v9vObjKG0gIw5ZERUANpsSXk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:sender:date:x-google-sender-auth:message-id:subject
	:from:to:content-type;
	b=hsgFZZfIoftaM/fnx/nLi9o5fAYVaoB5r3kwlAtcyo6rfUq51PQVm3KOZcOxAMQcaD
	lpTgtcrUIBHHSH7dzQzO13mRCzAxIkpeiRQodFcmqVdeZss9VMuktdHU4KjwhxXctR92
	WW2I/NqZK25ev2yMt5QcBXkqiN8z9QF89crFQ=
MIME-Version: 1.0
Sender: asmrookie@gmail.com
Received: by 10.223.14.140 with SMTP id g12mr649958faa.50.1257520835626; Fri, 
	06 Nov 2009 07:20:35 -0800 (PST)
Date: Fri, 6 Nov 2009 16:20:35 +0100
X-Google-Sender-Auth: 75d25ff71dc1da1d
Message-ID: <3bbf2fe10911060720m6d6919ffw91dcc5b6c1c2016a@mail.gmail.com>
From: Attilio Rao <attilio@freebsd.org>
To: freebsd-new-bus@freebsd.org, John Baldwin <jhb@freebsd.org>, 
	Scott Long <scottl@freebsd.org>, Warner Losh <imp@freebsd.org>,
	Ed Maste <emaste@sandvine.com>
Content-Type: text/plain; charset=UTF-8
Cc: 
Subject: [PATCH] Buffer overflow in devclass_add_device()
X-BeenThere: freebsd-new-bus@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD's new-bus architecture <freebsd-new-bus.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-new-bus>, 
	<mailto:freebsd-new-bus-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-new-bus>
List-Post: <mailto:freebsd-new-bus@freebsd.org>
List-Help: <mailto:freebsd-new-bus-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-new-bus>,
	<mailto:freebsd-new-bus-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2009 15:52:08 -0000

A buffer overflow is possible in devclass_add_device().
More specifically, the dev nameunit construction is based on the
assumption that the unit linked with the device is invariant but that
can change when calling devclass_alloc_unit() (because -1 is passed
or, more simply, because the unit choosen is beyond the table limits).
This results in a buffer overflow if the bug is too short on the
second snprintf().
This patch should fix it:
http://www.freebsd.org/~attilio/Sandvine/STABLE_8/subr_bus/subr_bus.diff

aiming for the max possible number of digits necessary.
This bug has been found by Sandvine Incorporated.
Please reivew.

Thanks,
Attilio


-- 
Peace can only be achieved by understanding - A. Einstein