From ast@marabu.ch  Sat Dec  3 09:20:10 2005
Return-Path: <ast@marabu.ch>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 12A2C16A41F;
	Sat,  3 Dec 2005 09:20:10 +0000 (GMT)
	(envelope-from ast@marabu.ch)
Received: from oneplusone.ch (oneplusone.ch [212.55.208.170])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3765D43D46;
	Sat,  3 Dec 2005 09:20:08 +0000 (GMT)
	(envelope-from ast@marabu.ch)
Received: from oneplusone.ch (localhost [127.0.0.1])
	by oneplusone.ch (8.13.4/8.13.4) with ESMTP id jB39K47L086488
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 3 Dec 2005 10:20:04 +0100 (CET)
	(envelope-from ast@marabu.ch)
Received: (from uucp@localhost)
	by oneplusone.ch (8.13.4/8.13.4/Submit) with UUCP id jB39K4BJ086487;
	Sat, 3 Dec 2005 10:20:04 +0100 (CET)
	(envelope-from ast@marabu.ch)
Received: from nico.marabu.ch (nico.marabu.ch [192.168.21.121])
	by pano.marabu.ch (8.13.4/8.13.4) with ESMTP id jB39JjV0030528;
	Sat, 3 Dec 2005 10:19:45 +0100 (CET)
	(envelope-from ast@nico.marabu.ch)
Received: from nico.marabu.ch (localhost.marabu.ch [127.0.0.1])
	by nico.marabu.ch (8.13.4/8.13.4) with ESMTP id jB39JjBS001124;
	Sat, 3 Dec 2005 10:19:45 +0100 (CET)
	(envelope-from ast@nico.marabu.ch)
Received: (from ast@localhost)
	by nico.marabu.ch (8.13.4/8.13.4/Submit) id jB39JdxM001123;
	Sat, 3 Dec 2005 10:19:39 +0100 (CET)
	(envelope-from ast)
Message-Id: <200512030919.jB39JdxM001123@nico.marabu.ch>
Date: Sat, 3 Dec 2005 10:19:39 +0100 (CET)
From: Adrian Steinmann <ast@marabu.ch>
Reply-To: Adrian Steinmann <ast@marabu.ch>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Gianmarco Giovannelli <gmarco@giovannelli.it>, imp@freebsd.org
Subject: [PATCH] pccard.c:pccard_safe_quote() unsafe
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         89878
>Category:       kern
>Synopsis:       [pccard] [patch] pccard.c:pccard_safe_quote() unsafe
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 03 09:30:05 GMT 2005
>Closed-Date:    Tue Aug 26 23:01:27 MDT 2008
>Last-Modified:  Tue Aug 26 23:01:27 MDT 2008
>Originator:     Adrian Steinmann
>Release:        FreeBSD 6.0-STABLE i386
>Organization:
Webgroup Consulting AG
>Environment:
System: FreeBSD nico.marabu.ch 6.0-STABLE FreeBSD 6.0-STABLE #8: Sat Dec 3 09:26:04 CET 2005 root@nico.marabu.ch:/usr/obj/usr/src/sys/NIC i386

Also in -current

>Description:
	panic when TDK 128MB CF is inserted with pccard adapter
>How-To-Repeat:
	insert pccard adapter holding a TDK 128MB CF
>Fix:

The routine pccard_safe_quote() in

sys/dev/pccard/pccard.c:993:pccard_safe_quote(char *dst, const char *src, size_t len)

does not check if src is NULL but this may be the case, because
they are initialized as such:

sys/dev/pccard/pccard_cis.c:88:        state.card->cis1_info[0] = NULL;
sys/dev/pccard/pccard_cis.c:89:        state.card->cis1_info[1] = NULL;
sys/dev/pccard/pccard_cis.c:90:        state.card->cis1_info[2] = NULL;
sys/dev/pccard/pccard_cis.c:91:        state.card->cis1_info[3] = NULL;

The patch enclosed checks if src is NULL and returns, making it safe.

The TDK 128MB CF displays this behavior and panics the kernel in pccard_safe_quote()
It seems to be connected to the odd CISTPL_VERS_1 which the TDK CF has: here is the

hw.pccard.debug: 1
hw.pccard.cis_debug: 1

info for the TDK and "No Name (Jinmeng)" card:

card.cis1_info[] NULL ("abnormal" case):
TDK, 128MB
ata2: <vendor=0x501 product=0x401> at port 0x4000-0x400f irq 11 function 0 config 1 on pccard0
ad4: 122MB <TDK TC M Rev 3.03> at ata2-master PIO2
========================================================
pccard0: CIS tuple chain:
CISTPL_DEVICE type=funcspec speed=ext
 01 04 df 4a 01 ff
unhandled CISTPL 1c
 1c 04 02 d9 01 ff
unhandled CISTPL 18
 18 02 df 01
CISTPL_MANFID
 20 04 01 05 01 04
CISTPL_VERS_1
 15 0b 04 01 54 44 4b 20 54 43 5f 4d ff
CISTPL_FUNCID
 21 02 04 01
CISTPL_FUNCE
 22 02 01 01
CISTPL_FUNCE
 22 03 02 0c 0f
CISTPL_CONFIG
 1a 05 01 03 00 02 0f
CISTPL_CFTABLE_ENTRY
 1b 08 c0 40 a1 01 55 08 00 20
CISTPL_CFTABLE_ENTRY
 1b 06 00 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
 1b 0a c1 41 99 01 55 64 f0 ff ff 20
CISTPL_CFTABLE_ENTRY
 1b 06 01 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
 1b 0f c2 41 99 01 55 ea 61 f0 01 07 f6 03 01 ee
 20
CISTPL_CFTABLE_ENTRY
 1b 06 02 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
 1b 0f c3 41 99 01 55 ea 61 70 01 07 76 03 01 ee
 20
CISTPL_CFTABLE_ENTRY
 1b 06 03 01 21 b5 1e 4d
unhandled CISTPL 14
CISTPL_NO_LINK
 14 00
CISTPL_END
 ff
pccard0: check_cis_quirks
pccard0: CIS version PCCARD 2.0 or 2.1
pccard0: CIS info: 

card.cis1_info[] not NULL ("normal" case):
Jinmemg, 128MB
ata2: <Jinmemg 128MB> at port 0x4000-0x400f irq 11 function 0 config 1 on pccard0
ad4: 123MB <Hyperstone ATA 30/06/03> at ata2-master PIO2
========================================================
pccard0: CIS tuple chain:
CISTPL_DEVICE type=funcspec speed=250ns
 01 03 d9 01 ff
unhandled CISTPL 1c
 1c 04 02 d9 01 ff
unhandled CISTPL 18
 18 02 df 01
CISTPL_MANFID
 20 04 00 00 00 00
CISTPL_FUNCID
 21 02 04 01
CISTPL_FUNCE
 22 02 01 01
CISTPL_FUNCE
 22 03 02 04 07
CISTPL_CONFIG
 1a 05 01 07 00 02 0f
CISTPL_CFTABLE_ENTRY
 1b 0b c0 c0 a1 27 55 4d 5d 75 08 00 21
CISTPL_CFTABLE_ENTRY
 1b 06 00 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
 1b 0d c1 41 99 27 55 4d 5d 75 64 f0 ff ff 21
CISTPL_CFTABLE_ENTRY
 1b 06 01 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
 1b 12 c2 41 99 27 55 4d 5d 75 ea 61 f0 01 07 f6
 03 01 ee 21
CISTPL_CFTABLE_ENTRY
 1b 06 02 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
 1b 12 c3 41 99 27 55 4d 5d 75 ea 61 70 01 07 76
 03 01 ee 21
CISTPL_CFTABLE_ENTRY
 1b 06 03 01 21 b5 1e 4d
CISTPL_CFTABLE_ENTRY
 1b 04 07 00 28 d3
unhandled CISTPL 14
CISTPL_NO_LINK
 14 00
CISTPL_VERS_1
 15 11 04 01 4a 69 6e 6d 65 6d 67 00 31 32 38 4d
 42 00 ff
CISTPL_END
 ff
pccard0: check_cis_quirks
pccard0: CIS version PCCARD 2.0 or 2.1
pccard0: CIS info: Jinmemg, 128MB

PATCH:
Index: sys/dev/pccard/pccard.c
===================================================================
RCS file: /usr/cvs/src/sys/dev/pccard/pccard.c,v
retrieving revision 1.105.2.2
diff -u -r1.105.2.2 pccard.c
--- sys/dev/pccard/pccard.c	27 Sep 2005 18:42:19 -0000	1.105.2.2
+++ sys/dev/pccard/pccard.c	3 Dec 2005 07:52:39 -0000
@@ -996,7 +996,7 @@
 
 	if (len == 0)
 		return;
-	while (walker < ep)
+	while ( (src != NULL) && (walker < ep) )
 	{
 		if (*src == '"') {
 			if (ep - walker < 2)
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Tue Aug 26 23:00:55 MDT 2008 
State-Changed-Why:  
This was fixed some time ago, maybe w/o credit in the commit log :-( 


http://www.freebsd.org/cgi/query-pr.cgi?pr=89878 
>Unformatted:
