mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-17 10:26:15 +00:00
The code that was meant to test alignment of the register offset
parameter in the read and write case dereferenced an unitialized pointer and can't possibly ever have catched an actual invalid argument. This was apparently true for the read/write and getconf cases. The latter does not even receive the paramter that is to be verified. I'm surprised that this did not cause kernel panics, but it seems that the uninitialized local variable happens to contain data that may be used as a pointer to memory that satisfies the test condition. Make the code work as intended by moving the test inside the switch case where the pointer has been properly initialized. Since the read and write case shared just about all code (except for the single call to PCIB_READ_CONFIG resp. PCIB_WRITE_CONFIG) I have merged both cases. Noticed by: trhodes@FreeBSD.org (Tom Rhodes)
This commit is contained in:
parent
7dd1328c13
commit
66f314b5f2
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=121013
@ -179,12 +179,6 @@ pci_ioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct thread *td)
|
||||
if (!(flag & FWRITE) && cmd != PCIOCGETCONF)
|
||||
return EPERM;
|
||||
|
||||
/* make sure register is in bounds and aligned */
|
||||
if (cmd == PCIOCREAD || cmd == PCIOCWRITE)
|
||||
if (io->pi_reg < 0 || io->pi_reg + io->pi_width > PCI_REGMAX ||
|
||||
io->pi_reg & (io->pi_width - 1))
|
||||
error = EINVAL;
|
||||
|
||||
switch(cmd) {
|
||||
case PCIOCGETCONF:
|
||||
{
|
||||
@ -376,46 +370,21 @@ pci_ioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct thread *td)
|
||||
|
||||
break;
|
||||
}
|
||||
case PCIOCREAD:
|
||||
io = (struct pci_io *)data;
|
||||
switch(io->pi_width) {
|
||||
case 4:
|
||||
case 2:
|
||||
case 1:
|
||||
/*
|
||||
* Assume that the user-level bus number is
|
||||
* actually the pciN instance number. We map
|
||||
* from that to the real pcib+bus combination.
|
||||
*/
|
||||
pci = devclass_get_device(devclass_find("pci"),
|
||||
io->pi_sel.pc_bus);
|
||||
if (pci) {
|
||||
int b = pcib_get_bus(pci);
|
||||
pcib = device_get_parent(pci);
|
||||
io->pi_data =
|
||||
PCIB_READ_CONFIG(pcib,
|
||||
b,
|
||||
io->pi_sel.pc_dev,
|
||||
io->pi_sel.pc_func,
|
||||
io->pi_reg,
|
||||
io->pi_width);
|
||||
error = 0;
|
||||
} else {
|
||||
error = ENODEV;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
error = EINVAL;
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
case PCIOCREAD:
|
||||
case PCIOCWRITE:
|
||||
io = (struct pci_io *)data;
|
||||
switch(io->pi_width) {
|
||||
case 4:
|
||||
case 2:
|
||||
case 1:
|
||||
/* make sure register is in bounds and aligned */
|
||||
if (cmd == PCIOCREAD || cmd == PCIOCWRITE)
|
||||
if (io->pi_reg < 0 ||
|
||||
io->pi_reg + io->pi_width > PCI_REGMAX ||
|
||||
io->pi_reg & (io->pi_width - 1))
|
||||
error = EINVAL;
|
||||
|
||||
/*
|
||||
* Assume that the user-level bus number is
|
||||
* actually the pciN instance number. We map
|
||||
@ -426,13 +395,22 @@ pci_ioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct thread *td)
|
||||
if (pci) {
|
||||
int b = pcib_get_bus(pci);
|
||||
pcib = device_get_parent(pci);
|
||||
PCIB_WRITE_CONFIG(pcib,
|
||||
b,
|
||||
io->pi_sel.pc_dev,
|
||||
io->pi_sel.pc_func,
|
||||
io->pi_reg,
|
||||
io->pi_data,
|
||||
io->pi_width);
|
||||
if (cmd == PCIOCWRITE)
|
||||
PCIB_WRITE_CONFIG(pcib,
|
||||
b,
|
||||
io->pi_sel.pc_dev,
|
||||
io->pi_sel.pc_func,
|
||||
io->pi_reg,
|
||||
io->pi_data,
|
||||
io->pi_width);
|
||||
else
|
||||
io->pi_data =
|
||||
PCIB_READ_CONFIG(pcib,
|
||||
b,
|
||||
io->pi_sel.pc_dev,
|
||||
io->pi_sel.pc_func,
|
||||
io->pi_reg,
|
||||
io->pi_width);
|
||||
error = 0;
|
||||
} else {
|
||||
error = ENODEV;
|
||||
|
Loading…
Reference in New Issue
Block a user