NetBSD Problem Report #50759
From www@NetBSD.org Wed Feb 3 10:20:55 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8F15A7A20C
for <gnats-bugs@gnats.NetBSD.org>; Wed, 3 Feb 2016 10:20:55 +0000 (UTC)
Message-Id: <20160203102054.AE97A7ABE0@mollari.NetBSD.org>
Date: Wed, 3 Feb 2016 10:20:54 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: [src/sys/arch/x68k/dev/zs.c:159]: (error) Array 'zs_physaddr[5]' accessed at index 5, which is out of bounds.
X-Send-Pr-Version: www-1.0
>Number: 50759
>Category: port-x68k
>Synopsis: [src/sys/arch/x68k/dev/zs.c:159]: (error) Array 'zs_physaddr[5]' accessed at index 5, which is out of bounds.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: port-x68k-maintainer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Feb 03 10:25:00 +0000 2016
>Closed-Date: Tue May 31 03:54:52 +0000 2016
>Last-Modified: Tue May 31 03:54:52 +0000 2016
>Originator: David Binderman
>Release: cvs dated 20160203
>Organization:
>Environment:
>Description:
Source code is
for (i = 0; i < ZS_MAXDEV; i++)
if (zsaddr == (void *)zs_physaddr[i]) /* XXX */
break;
/* ... */
if (zsaddr != (void *)zs_physaddr[i])
return 0;
Maybe better code
for (i = 0; i < ZS_MAXDEV; i++)
if (zsaddr == (void *)zs_physaddr[i]) /* XXX */
break;
/* ... */
if (i >= ZS_MAXDEV)
return 0;
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50759 CVS commit: src/sys/arch/x68k/dev
Date: Tue, 31 May 2016 03:22:30 +0000
Module Name: src
Committed By: dholland
Date: Tue May 31 03:22:30 UTC 2016
Modified Files:
src/sys/arch/x68k/dev: zs.c
Log Message:
PR 50759 David Binderman: fix out of bounds array access.
If we don't find one of the expected device addresses, reject the
match, but do it by checking whether the loop matched something rather
than by testing an array entry that might be one past the end.
Note: I have also moved the test to be with the loop; since the call
to intio_map_allocate_region had gotten placed in between them, I've
moved it to go before rather than after them as (a) it doesn't
interact with the loop itself and (b) this seems like the best choice
given the history as it was deliberately added before the original
test.
I have not tried running this, not having an x68k, but as best I can
tell by reading the intio code it seems like it should be harmless
even if it's not really correct.
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/sys/arch/x68k/dev/zs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 31 May 2016 03:54:52 +0000
State-Changed-Why:
fixed, thanks
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.