From nobody@FreeBSD.org  Thu Jul 19 19:15:12 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B6A911065675
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 Jul 2012 19:15:12 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id A16D88FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 Jul 2012 19:15:12 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6JJF6kc023835
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 Jul 2012 19:15:06 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q6JJF6AN023826;
	Thu, 19 Jul 2012 19:15:06 GMT
	(envelope-from nobody)
Message-Id: <201207191915.q6JJF6AN023826@red.freebsd.org>
Date: Thu, 19 Jul 2012 19:15:06 GMT
From: Mark Johnston <markjdb@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ichsmb] buffer overflow during block read
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         170003
>Category:       kern
>Synopsis:       [ichsmb] buffer overflow during block read
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    markj
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 19 19:20:13 UTC 2012
>Closed-Date:    
>Last-Modified:  Fri Dec 21 19:39:58 UTC 2012
>Originator:     Mark Johnston
>Release:        CURRENT
>Organization:
Sandvine Inc.
>Environment:
FreeBSD oddish 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r237931+09aeb19-dirty: Sun Jul  1 13:10:47 EDT 2012     mark@oddish:/home/mark/src/obj/usr/home/mark/src/freebsd/sys/GENERIC  amd64
>Description:
ichsmb(4) uses a 32-byte buffer in the softc to hold the bytes received from a block read command. When such a command is issued, the hardware is supposed to fill out the host data 0 register with the number of bytes to be returned. Some devices return more than 32 bytes for some reason, causing ichsmb to clobber parts of its softc. In my case, the mutex gets overwritten, leading to a panic during execution of the next smbus command.
>How-To-Repeat:
It may not be reproducible depending on the devices available on the bus. Try running the program here: http://www.student.cs.uwaterloo.ca/~m6johnst/smbbread.c
>Fix:
Attached patch.

Patch attached with submission follows:

diff --git a/sys/dev/ichsmb/ichsmb.c b/sys/dev/ichsmb/ichsmb.c
index 5ff54db..ac4d191 100644
--- a/sys/dev/ichsmb/ichsmb.c
+++ b/sys/dev/ichsmb/ichsmb.c
@@ -575,8 +575,9 @@ ichsmb_device_intr(void *cookie)
 
 				/* First interrupt, get the count also */
 				if (sc->block_index == 0) {
-					sc->block_count = bus_read_1(
-					    sc->io_res, ICH_D0);
+					sc->block_count = min(
+					    bus_read_1(sc->io_res, ICH_D0),
+					    sizeof(sc->block_data));
 				}
 
 				/* Get next byte, if any */


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->markj 
Responsible-Changed-By: markj 
Responsible-Changed-When: Fri Dec 21 19:39:57 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=170003 
>Unformatted:
