kern/46196: array overflow in sys/external/bsd/drm/dist/shared-core/i915_suspend.c

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/46196: array overflow in sys/external/bsd/drm/dist/shared-core/i915_suspend.c
From: Manuel.Bouyer%lip6.fr@localhost
Date: Wed, 14 Mar 2012 21:00:01 +0000 (UTC)

>Number:         46196
>Category:       kern
>Synopsis:       array overflow in 
>sys/external/bsd/drm/dist/shared-core/i915_suspend.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar 14 21:00:00 +0000 2012
>Originator:     Manuel.Bouyer%lip6.fr@localhost
>Release:        NetBSD 6.0_BETA
>Organization:
>Environment:
System: NetBSD pop.soc.lip6.fr 6.0_BETA NetBSD 6.0_BETA (XEN3PAE_DOMU) i386
Architecture: i386
Machine: i386
>Description:
        building an amd64 GENERIC kernel with -03, I got:
/dsk/l1/misc/bouyer/quota2/src/sys/external/bsd/drm/dist/shared-core/i915_suspend.c:
 In function 'i915_restore_state':
/dsk/l1/misc/bouyer/quota2/src/sys/external/bsd/drm/dist/shared-core/i915_suspend.c:515:3:
 error: array subscript is above array bounds

        indeed we have:
        for (i = 0; i < 16; i++) {
                I915_WRITE(SWF00 + (i << 2), dev_priv->saveSWF0[i]);
                I915_WRITE(SWF10 + (i << 2), dev_priv->saveSWF1[i+7]);
        }

        but saveSWF1[] has only 16 elements. So there's obviously something
        wrong, but I don't know what ...

>How-To-Repeat:
        builds amd64 GENERIC with -O3
>Fix:

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: bin/46178: makemandb(8) crashes while indexing manual pages
Previous by Thread: kern/46195: Unseen IDE CDROM drive on 6.0_BETA
Next by Thread: port-sparc64/46197: bge failure when netbooting sparc64
Indexes:

Home | Main Index | Thread Index | Old Index