Date: Fri, 29 Jan 2016 22:39:31 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206581] bxe_ioctl_nvram handler is faulty Message-ID: <bug-206581-8-Sr7aFsF2u6@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-206581-8@https.bugs.freebsd.org/bugzilla/> References: <bug-206581-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206581 --- Comment #3 from CTurt <cturt@hardenedbsd.org> --- To clarify my original post, the bound check is fine. However, there is a problem that multiple parts of this code use `copyin` without checking the result, which could possibly lead to the use of uninitialised stack data if the `copyin` calls fail. `bxe_ioctl_nvram`: copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base)); ... copyin(ifr->ifr_data, nvdata, len); error = bxe_nvram_write(sc, nvdata->offset, (uint8_t *)nvdata->value, nvdata->len); `bxe_ioctl`: copyin(ifr->ifr_data, &priv_op, sizeof(priv_op)); -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206581-8-Sr7aFsF2u6>