From owner-freebsd-bugs@FreeBSD.ORG Sat Dec 3 09:30:28 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48EE616A41F for ; Sat, 3 Dec 2005 09:30:28 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 990B743D79 for ; Sat, 3 Dec 2005 09:30:07 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jB39U6ud089056 for ; Sat, 3 Dec 2005 09:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jB39U6VZ089046; Sat, 3 Dec 2005 09:30:06 GMT (envelope-from gnats) Resent-Date: Sat, 3 Dec 2005 09:30:06 GMT Resent-Message-Id: <200512030930.jB39U6VZ089046@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Adrian Steinmann Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12A2C16A41F; Sat, 3 Dec 2005 09:20:10 +0000 (GMT) (envelope-from ast@marabu.ch) Received: from oneplusone.ch (oneplusone.ch [212.55.208.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3765D43D46; Sat, 3 Dec 2005 09:20:08 +0000 (GMT) (envelope-from ast@marabu.ch) Received: from oneplusone.ch (localhost [127.0.0.1]) by oneplusone.ch (8.13.4/8.13.4) with ESMTP id jB39K47L086488 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 3 Dec 2005 10:20:04 +0100 (CET) (envelope-from ast@marabu.ch) Received: (from uucp@localhost) by oneplusone.ch (8.13.4/8.13.4/Submit) with UUCP id jB39K4BJ086487; Sat, 3 Dec 2005 10:20:04 +0100 (CET) (envelope-from ast@marabu.ch) Received: from nico.marabu.ch (nico.marabu.ch [192.168.21.121]) by pano.marabu.ch (8.13.4/8.13.4) with ESMTP id jB39JjV0030528; Sat, 3 Dec 2005 10:19:45 +0100 (CET) (envelope-from ast@nico.marabu.ch) Received: from nico.marabu.ch (localhost.marabu.ch [127.0.0.1]) by nico.marabu.ch (8.13.4/8.13.4) with ESMTP id jB39JjBS001124; Sat, 3 Dec 2005 10:19:45 +0100 (CET) (envelope-from ast@nico.marabu.ch) Received: (from ast@localhost) by nico.marabu.ch (8.13.4/8.13.4/Submit) id jB39JdxM001123; Sat, 3 Dec 2005 10:19:39 +0100 (CET) (envelope-from ast) Message-Id: <200512030919.jB39JdxM001123@nico.marabu.ch> Date: Sat, 3 Dec 2005 10:19:39 +0100 (CET) From: Adrian Steinmann To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Gianmarco Giovannelli , imp@FreeBSD.org Subject: kern/89878: [PATCH] pccard.c:pccard_safe_quote() unsafe X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Adrian Steinmann List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2005 09:30:28 -0000 >Number: 89878 >Category: kern >Synopsis: [PATCH] pccard.c:pccard_safe_quote() unsafe >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 03 09:30:05 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Adrian Steinmann >Release: FreeBSD 6.0-STABLE i386 >Organization: Webgroup Consulting AG >Environment: System: FreeBSD nico.marabu.ch 6.0-STABLE FreeBSD 6.0-STABLE #8: Sat Dec 3 09:26:04 CET 2005 root@nico.marabu.ch:/usr/obj/usr/src/sys/NIC i386 Also in -current >Description: panic when TDK 128MB CF is inserted with pccard adapter >How-To-Repeat: insert pccard adapter holding a TDK 128MB CF >Fix: The routine pccard_safe_quote() in sys/dev/pccard/pccard.c:993:pccard_safe_quote(char *dst, const char *src, size_t len) does not check if src is NULL but this may be the case, because they are initialized as such: sys/dev/pccard/pccard_cis.c:88: state.card->cis1_info[0] = NULL; sys/dev/pccard/pccard_cis.c:89: state.card->cis1_info[1] = NULL; sys/dev/pccard/pccard_cis.c:90: state.card->cis1_info[2] = NULL; sys/dev/pccard/pccard_cis.c:91: state.card->cis1_info[3] = NULL; The patch enclosed checks if src is NULL and returns, making it safe. The TDK 128MB CF displays this behavior and panics the kernel in pccard_safe_quote() It seems to be connected to the odd CISTPL_VERS_1 which the TDK CF has: here is the hw.pccard.debug: 1 hw.pccard.cis_debug: 1 info for the TDK and "No Name (Jinmeng)" card: card.cis1_info[] NULL ("abnormal" case): TDK, 128MB ata2: at port 0x4000-0x400f irq 11 function 0 config 1 on pccard0 ad4: 122MB at ata2-master PIO2 ======================================================== pccard0: CIS tuple chain: CISTPL_DEVICE type=funcspec speed=ext 01 04 df 4a 01 ff unhandled CISTPL 1c 1c 04 02 d9 01 ff unhandled CISTPL 18 18 02 df 01 CISTPL_MANFID 20 04 01 05 01 04 CISTPL_VERS_1 15 0b 04 01 54 44 4b 20 54 43 5f 4d ff CISTPL_FUNCID 21 02 04 01 CISTPL_FUNCE 22 02 01 01 CISTPL_FUNCE 22 03 02 0c 0f CISTPL_CONFIG 1a 05 01 03 00 02 0f CISTPL_CFTABLE_ENTRY 1b 08 c0 40 a1 01 55 08 00 20 CISTPL_CFTABLE_ENTRY 1b 06 00 01 21 b5 1e 4d CISTPL_CFTABLE_ENTRY 1b 0a c1 41 99 01 55 64 f0 ff ff 20 CISTPL_CFTABLE_ENTRY 1b 06 01 01 21 b5 1e 4d CISTPL_CFTABLE_ENTRY 1b 0f c2 41 99 01 55 ea 61 f0 01 07 f6 03 01 ee 20 CISTPL_CFTABLE_ENTRY 1b 06 02 01 21 b5 1e 4d CISTPL_CFTABLE_ENTRY 1b 0f c3 41 99 01 55 ea 61 70 01 07 76 03 01 ee 20 CISTPL_CFTABLE_ENTRY 1b 06 03 01 21 b5 1e 4d unhandled CISTPL 14 CISTPL_NO_LINK 14 00 CISTPL_END ff pccard0: check_cis_quirks pccard0: CIS version PCCARD 2.0 or 2.1 pccard0: CIS info: card.cis1_info[] not NULL ("normal" case): Jinmemg, 128MB ata2: at port 0x4000-0x400f irq 11 function 0 config 1 on pccard0 ad4: 123MB at ata2-master PIO2 ======================================================== pccard0: CIS tuple chain: CISTPL_DEVICE type=funcspec speed=250ns 01 03 d9 01 ff unhandled CISTPL 1c 1c 04 02 d9 01 ff unhandled CISTPL 18 18 02 df 01 CISTPL_MANFID 20 04 00 00 00 00 CISTPL_FUNCID 21 02 04 01 CISTPL_FUNCE 22 02 01 01 CISTPL_FUNCE 22 03 02 04 07 CISTPL_CONFIG 1a 05 01 07 00 02 0f CISTPL_CFTABLE_ENTRY 1b 0b c0 c0 a1 27 55 4d 5d 75 08 00 21 CISTPL_CFTABLE_ENTRY 1b 06 00 01 21 b5 1e 4d CISTPL_CFTABLE_ENTRY 1b 0d c1 41 99 27 55 4d 5d 75 64 f0 ff ff 21 CISTPL_CFTABLE_ENTRY 1b 06 01 01 21 b5 1e 4d CISTPL_CFTABLE_ENTRY 1b 12 c2 41 99 27 55 4d 5d 75 ea 61 f0 01 07 f6 03 01 ee 21 CISTPL_CFTABLE_ENTRY 1b 06 02 01 21 b5 1e 4d CISTPL_CFTABLE_ENTRY 1b 12 c3 41 99 27 55 4d 5d 75 ea 61 70 01 07 76 03 01 ee 21 CISTPL_CFTABLE_ENTRY 1b 06 03 01 21 b5 1e 4d CISTPL_CFTABLE_ENTRY 1b 04 07 00 28 d3 unhandled CISTPL 14 CISTPL_NO_LINK 14 00 CISTPL_VERS_1 15 11 04 01 4a 69 6e 6d 65 6d 67 00 31 32 38 4d 42 00 ff CISTPL_END ff pccard0: check_cis_quirks pccard0: CIS version PCCARD 2.0 or 2.1 pccard0: CIS info: Jinmemg, 128MB PATCH: Index: sys/dev/pccard/pccard.c =================================================================== RCS file: /usr/cvs/src/sys/dev/pccard/pccard.c,v retrieving revision 1.105.2.2 diff -u -r1.105.2.2 pccard.c --- sys/dev/pccard/pccard.c 27 Sep 2005 18:42:19 -0000 1.105.2.2 +++ sys/dev/pccard/pccard.c 3 Dec 2005 07:52:39 -0000 @@ -996,7 +996,7 @@ if (len == 0) return; - while (walker < ep) + while ( (src != NULL) && (walker < ep) ) { if (*src == '"') { if (ep - walker < 2) >Release-Note: >Audit-Trail: >Unformatted: