mirror of
https://github.com/opnsense/src.git
synced 2026-02-27 03:40:37 -05:00
f01c863337
A panic has been observed on a system with a Intel X520 dual LAN device. The panic is caused by a KASSERT() noticing that the amount of VPD data copied out to the pciconf command does not match the amount of data read from the device. The cause of the size mismatch was VPD data that started with 0x82, the VPD tag that indicates that a VPD ident follows, but with a length of more than 255 characters, which happens to be the maximum ident size supported by the API between kernel and the pciconf program. The data provided did not resemble an actual VPD identifier, and it can be assumed that the initial tag value 0x82 happens to be there by accident. An ident size of 255 far exceeds the sensible length of that data element, which is in the order of at most 30 to 40 bytes. This patch adds several consitstency checks to the VPD parser, the most critical being that ident lengths of more than 255 bytes are rejected. Other checks reject VPD with more than one ident tag or with an empty (zero length) ident string. This patch prevents the panic that occured when "pciconf -lV" was executed on the affected system. During the anaylsis of the issue and the VPD code it has been found that the VPD parser uses a state machine that accepts tags in any order and combination. This is a bad match for the actual VPD data, which has a very simple structure that can be parsed with a non-recursive direct descent parser (which always knows exactly which token to expect next). A review fpr a much simpler VPD parser that performs many more consistency checks and rejects invalid VPD has been proposed in review https://reviews.freebsd.org/D34268. Reported by: mikej at paymentallianceintl.com (Michael Jung) Approved by: jhb MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D34255 |
||
|---|---|---|
| .. | ||
| controller | ||
| fixup_pci.c | ||
| hostb_pci.c | ||
| ignore_pci.c | ||
| isa_pci.c | ||
| pci.c | ||
| pci_dw.c | ||
| pci_dw.h | ||
| pci_dw_if.m | ||
| pci_dw_mv.c | ||
| pci_host_generic.c | ||
| pci_host_generic.h | ||
| pci_host_generic_acpi.c | ||
| pci_host_generic_acpi.h | ||
| pci_host_generic_fdt.c | ||
| pci_host_generic_fdt.h | ||
| pci_if.m | ||
| pci_iov.c | ||
| pci_iov.h | ||
| pci_iov_if.m | ||
| pci_iov_private.h | ||
| pci_iov_schema.c | ||
| pci_pci.c | ||
| pci_private.h | ||
| pci_subr.c | ||
| pci_user.c | ||
| pcib_if.m | ||
| pcib_private.h | ||
| pcib_support.c | ||
| pcireg.h | ||
| pcivar.h | ||
| schema_private.h | ||
| vga_pci.c | ||