Page MenuHomeFreeBSD

uart: Fix an out-of-bounds read in ns8250_bus_probe()
ClosedPublic

Authored by markj on Jul 9 2021, 9:38 PM.

Details

Summary

The problem is that ns8250_bus_probe() accesses a field from the
ns8250_softc, which embeds the generic UART softc, but the ns8250_softc
hasn't yet been allocated because we're still probing.

This is a regression from commit 0aefb0a63c50. This fixed some problem
where one of the upper four IER bits (which are usually reserved?) needs
to be set in order to get RX interrupts before the RX FIFO is full. At
the same time, we avoid clearing those reserved bits (see commit
58957d87173, though I'm not sure this is really needed or makes sense).

So, copy what ns8250_init() does to disable interrupts, since we don't
know what the "right" mask is at this point.

This was found by syzkaller+KASAN:
https://syzkaller.appspot.com/bug?id=3a103473cd81fe2a15d3642b28a50ce63a795424

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

markj requested review of this revision.Jul 9 2021, 9:38 PM
markj created this revision.
markj retitled this revision from uart: Fix an out-of-bounds read in ns8250_bus_param() to uart: Fix an out-of-bounds read in ns8250_bus_probe().Jul 9 2021, 9:38 PM
This revision is now accepted and ready to land.Jul 9 2021, 10:35 PM