netbsd-bugs: kern/27255: PCMCIA NIC with blank CIS tuples crashes the kernel -- possible NULL deref in strcmp.S

Subject: kern/27255: PCMCIA NIC with blank CIS tuples crashes the kernel -- possible NULL deref in strcmp.S
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <ntarmos@ceid.upatras.gr>
List: netbsd-bugs
Date: 10/13/2004 22:42:14

>Number:         27255
>Category:       kern
>Synopsis:       PCMCIA NIC with blank CIS tuples crashes the kernel -- possible NULL deref in strcmp.S
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 13 22:43:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Nikos Ntarmos
>Release:        2.0_RC4
>Organization:
NetCInS Lab. - CEID - UPatras - Greece
>Environment:
NetBSD valkyrie.ceid.upatras.gr 2.0_RC4 NetBSD 2.0_RC4 (GENERIC_LAPTOP) #0: Sat Oct  10 17:42:23 EEST 2004  ntarmos@valkyrie:/home/ntarmos/builds/NetBSD-2.0_RC4-i386-obj/sys/arch/i386/compile/GENERIC_LAPTOP i386
>Description:
Inserting a "broken" pcmcia nic in a laptop running NetBSD 2.0 RC4 (GENERIC_LAPTOP) results in a kernel crash and a drop to ddb:

<snip>
uvm_fault(0xc0600de0, 0, 0, 1) -> 0xe
kernel: page fault trap, code=0
Stopped in pid 5.1 (cardslot0) at netbsd:strcmp+0xe: movb 0(%eax), %cl
db> trace
strcmp(c07c7800,c059e248,c2fe5f34,c2fe5eb4) at netbasd:strcmp+0xe
config_match(c07c7800,c059e248,c2fe5f34,c0498bb0,c059e248) at netbsd:config_match+0x28
mapply(c2fe5eb4,c059e248,c0100010,30,c0443d60) at netbsd:mapply+0x36
config_search(c0443d60,c07c7800,c2fe5f34,0,0) at netbsd:config_search+0x8c
config_found_sm(c07c7800,c2fe5f34,c0443d9c,c0443d60,ffffffff) at netbsd:config_found_sm+0x1c
pcmcia_card_attach(c07c7800,c05a7de0,c2fe5f8c,c0437e19,c2fcc660) at netbsd:pcmcia_card_attach+0xd3
cardslot_event_thread(c07f3f00,6b0000,6b9000,0,c0100321) at netbsd:cardslot_event_thread+0x22c
db> 
</snip>

At the time of the crash %eax is 0 (thus spoke 'show registers'), which looks like a null pointer dereference to me (in 'movb 0(%eax), %cl'). What I don't get is how the path of execution reached strcmp from config_match withouth going through config_cfattach_lookup first. The next thing in my path is building a debug kernel and further investigating this one. I'll also check fixes 1 and 2 and report back. I'd appreciate any no-no feedback, though.

FWIW I have reproduced this crash with both cbb/cardbus and pcic (s/cardslot_event_thread/pcic_event_thread/), plus this problem also manifests in all 5.x and -CURRENT FreeBSD flavors, but not in FreeBSD 4.x (I used to operate this nic under FreeBSD 4.x, using 'pccardc enabler ...' with much success, up to now).
>How-To-Repeat:
Ummm... Insert a pcmcia card with null cis tuples in a laptop running NetBSD and watch... The nic at hand is a DCT ThinNet2000.
>Fix:
1. Tweak strcmp.S to check for null pointers (%eax equals 0).
2. Tweak STREQ in sys/kern/subr_autoconf.c to check for null pointers.
3. Get myself a new nic :)
>Release-Note:
>Audit-Trail:
>Unformatted: