kern/46200: read array past end in drm/dist/shared-core/i915_suspend.c

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/46200: read array past end in drm/dist/shared-core/i915_suspend.c
From: Manuel.Bouyer%lip6.fr@localhost
Date: Thu, 15 Mar 2012 18:50:01 +0000 (UTC)

>Number:         46200
>Category:       kern
>Synopsis:       read array past end in drm/dist/shared-core/i915_suspend.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 15 18:50:00 +0000 2012
>Originator:     Manuel.Bouyer%lip6.fr@localhost
>Release:        NetBSD 6.0_BETA
>Organization:
>Environment:
System: NetBSD pop.soc.lip6.fr 6.0_BETA NetBSD 6.0_BETA (XEN3PAE_DOMU) i386
Architecture: i386
Machine: i386
>Description:
        in sys/external/bsd/drm/dist/shared-core/i915_suspend.c, line 510-517:
        /* Memory arbitration state */
        I915_WRITE (MI_ARB_STATE, dev_priv->saveMI_ARB_STATE | 0xffff0000);

        for (i = 0; i < 16; i++) {
                I915_WRITE(SWF00 + (i << 2), dev_priv->saveSWF0[i]);
                I915_WRITE(SWF10 + (i << 2), dev_priv->saveSWF1[i+7]);
        }

but saveSWF1 is a 16-elements array; so saveSWF1[i+7] will obviously
read wronf data.

>How-To-Repeat:
        code inspection (or gcc -03).
>Fix:
        I don't know if the loop bound should be changed, or if
        saveSWF1[i+7] should be saveSWF1[i] (or something else)

Prev by Date: Re: kern/46199: 6.0_BETA. "qemu -net tap" + bridge(4). Network problems in guests.
Next by Date: kern/46201: read array past end in sys/external/isc/atheros_hal/dist/ah_eeprom_v4k.c
Previous by Thread: kern/46199: 6.0_BETA. "qemu -net tap" + bridge(4). Network problems in guests.
Next by Thread: kern/46201: read array past end in sys/external/isc/atheros_hal/dist/ah_eeprom_v4k.c
Indexes:

Home | Main Index | Thread Index | Old Index