From 6a55ff3777d67df18d8d315cd2f925b3722db494 Mon Sep 17 00:00:00 2001 From: se Date: Sat, 11 Oct 2003 22:20:34 +0000 Subject: The code that was meant to test alignment of the register offset parameter in the read and write case dereferenced an unitialized pointer and can't possibly ever have catched an actual invalid argument. This was apparently true for the read/write and getconf cases. The latter does not even receive the paramter that is to be verified. I'm surprised that this did not cause kernel panics, but it seems that the uninitialized local variable happens to contain data that may be used as a pointer to memory that satisfies the test condition. Make the code work as intended by moving the test inside the switch case where the pointer has been properly initialized. Since the read and write case shared just about all code (except for the single call to PCIB_READ_CONFIG resp. PCIB_WRITE_CONFIG) I have merged both cases. Noticed by: trhodes@FreeBSD.org (Tom Rhodes) --- sys/dev/pci/pci_user.c | 70 +++++++++++++++++--------------------------------- 1 file changed, 24 insertions(+), 46 deletions(-) (limited to 'sys') diff --git a/sys/dev/pci/pci_user.c b/sys/dev/pci/pci_user.c index 80832b2..b816779 100644 --- a/sys/dev/pci/pci_user.c +++ b/sys/dev/pci/pci_user.c @@ -179,12 +179,6 @@ pci_ioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct thread *td) if (!(flag & FWRITE) && cmd != PCIOCGETCONF) return EPERM; - /* make sure register is in bounds and aligned */ - if (cmd == PCIOCREAD || cmd == PCIOCWRITE) - if (io->pi_reg < 0 || io->pi_reg + io->pi_width > PCI_REGMAX || - io->pi_reg & (io->pi_width - 1)) - error = EINVAL; - switch(cmd) { case PCIOCGETCONF: { @@ -376,46 +370,21 @@ getconfexit: break; } - case PCIOCREAD: - io = (struct pci_io *)data; - switch(io->pi_width) { - case 4: - case 2: - case 1: - /* - * Assume that the user-level bus number is - * actually the pciN instance number. We map - * from that to the real pcib+bus combination. - */ - pci = devclass_get_device(devclass_find("pci"), - io->pi_sel.pc_bus); - if (pci) { - int b = pcib_get_bus(pci); - pcib = device_get_parent(pci); - io->pi_data = - PCIB_READ_CONFIG(pcib, - b, - io->pi_sel.pc_dev, - io->pi_sel.pc_func, - io->pi_reg, - io->pi_width); - error = 0; - } else { - error = ENODEV; - } - break; - default: - error = EINVAL; - break; - } - break; + case PCIOCREAD: case PCIOCWRITE: io = (struct pci_io *)data; switch(io->pi_width) { case 4: case 2: case 1: + /* make sure register is in bounds and aligned */ + if (cmd == PCIOCREAD || cmd == PCIOCWRITE) + if (io->pi_reg < 0 || + io->pi_reg + io->pi_width > PCI_REGMAX || + io->pi_reg & (io->pi_width - 1)) + error = EINVAL; + /* * Assume that the user-level bus number is * actually the pciN instance number. We map @@ -426,13 +395,22 @@ getconfexit: if (pci) { int b = pcib_get_bus(pci); pcib = device_get_parent(pci); - PCIB_WRITE_CONFIG(pcib, - b, - io->pi_sel.pc_dev, - io->pi_sel.pc_func, - io->pi_reg, - io->pi_data, - io->pi_width); + if (cmd == PCIOCWRITE) + PCIB_WRITE_CONFIG(pcib, + b, + io->pi_sel.pc_dev, + io->pi_sel.pc_func, + io->pi_reg, + io->pi_data, + io->pi_width); + else + io->pi_data = + PCIB_READ_CONFIG(pcib, + b, + io->pi_sel.pc_dev, + io->pi_sel.pc_func, + io->pi_reg, + io->pi_width); error = 0; } else { error = ENODEV; -- cgit v1.1