Page MenuHomeFreeBSD

uart: Fix an out-of-bounds read in ns8250_bus_probe()
ClosedPublic

Authored by markj on Jul 9 2021, 9:38 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 23 2024, 11:03 PM
Unknown Object (File)
Dec 23 2023, 12:56 PM
Unknown Object (File)
Dec 22 2023, 6:02 AM
Unknown Object (File)
Dec 12 2023, 5:55 PM
Unknown Object (File)
Oct 18 2023, 11:37 AM
Unknown Object (File)
Sep 5 2023, 11:25 PM
Unknown Object (File)
Aug 30 2023, 3:54 AM
Unknown Object (File)
Aug 30 2023, 3:51 AM
Subscribers
None

Details

Summary

The problem is that ns8250_bus_probe() accesses a field from the
ns8250_softc, which embeds the generic UART softc, but the ns8250_softc
hasn't yet been allocated because we're still probing.

This is a regression from commit 0aefb0a63c50. This fixed some problem
where one of the upper four IER bits (which are usually reserved?) needs
to be set in order to get RX interrupts before the RX FIFO is full. At
the same time, we avoid clearing those reserved bits (see commit
58957d87173, though I'm not sure this is really needed or makes sense).

So, copy what ns8250_init() does to disable interrupts, since we don't
know what the "right" mask is at this point.

This was found by syzkaller+KASAN:
https://syzkaller.appspot.com/bug?id=3a103473cd81fe2a15d3642b28a50ce63a795424

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 40422
Build 37311: arc lint + arc unit

Event Timeline

markj requested review of this revision.Jul 9 2021, 9:38 PM
markj created this revision.
markj retitled this revision from uart: Fix an out-of-bounds read in ns8250_bus_param() to uart: Fix an out-of-bounds read in ns8250_bus_probe().Jul 9 2021, 9:38 PM
This revision is now accepted and ready to land.Jul 9 2021, 10:35 PM