Subject: kern/25128: NetBSD-2.0 (also 1.6 and current) segfaults using wi driver
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <pancake@phreaker.net>
List: netbsd-bugs
Date: 04/10/2004 17:46:01
>Number:         25128
>Category:       kern
>Synopsis:       NetBSD-2.0 (also 1.6 and current) segfaults using wi driver
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Apr 10 16:46:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 2.0B
>Organization:
	
>Environment:
	
	
System: NetBSD pl2 2.0B NetBSD 2.0B (pancake-laptop) #12: Sat Apr 10 17:12:00 CEST 2004 root@panser:/usr/src/sys/arch/i386/compile/PANCAKE_LAPTOP i386
Architecture: i386
Machine: i386
>Description:
	NetBSD implementation of wi driver is buggy.
>How-To-Repeat:
	I recieve this error trying to sniff using the wistumbler2 under
	Gtk2 GUI. It seems that calls two times enought faster to the
	initialization of the wifi interface. And kernel doesn't handles
	that. I was debugging the kernel, patching and rebuilding.
	I will follow looking on that, but could be nice if more people
	looks on this bug.

	The final idea that I took from this bug was that the vulnerable
	code stays on dev/pcmcia/if_wi_pcmcia.c into the 'wi_pcmcia_enable'
	function. This bug comes from older versions of NetBSD. I just 
	write some printf' on this funcion and looks like that:

----8<---------[cut here]----
static int
wi_pcmcia_enable(sc)
	struct wi_softc *sc;
{
	struct wi_pcmcia_softc *psc = (struct wi_pcmcia_softc *)sc;
	struct pcmcia_function *pf; //= psc->sc_pf;
printf("WI_PCMCIA_ENABLE: 1\n");
	pf=psc->sc_pf;
printf("WI_PCMCIA_ENABLE: 2\n");
	/* establish the interrupt. */
	sc->sc_ih = pcmcia_intr_establish(pf, IPL_NET, wi_intr, sc);
printf("WI_PCMCIA_ENABLE: 3\n");
	if (sc->sc_ih == NULL) {
		printf("%s: couldn't establish interrupt\n",
		    sc->sc_dev.dv_xname);
		return (EIO);
	}
printf("WI_PCMCIA_ENABLE: 4\n");
	if (pcmcia_function_enable(pf) != 0) {
		printf("%s: couldn't enable card\n", sc->sc_dev.dv_xname);
		pcmcia_intr_disestablish(pf, sc->sc_ih);
		return (EIO);
	}
	DELAY(1000);
printf("WI_PCMCIA_ENABLE: 5\n");
	if (psc->sc_symbol_cf) {
		if (wi_pcmcia_load_firm(sc,
		    spectrum24t_primsym, sizeof(spectrum24t_primsym),
		    spectrum24t_secsym, sizeof(spectrum24t_secsym))) {
			printf("%s: couldn't load firmware\n",
			    sc->sc_dev.dv_xname);
			wi_pcmcia_disable(sc);
			return (EIO);
		}
	}
printf("WI_PCMCIA_ENABLE: ALL DONE\n");
	return (0);
}
----8<---------[cut here]----

	Ok, then I run the wistumbler2 under Xwindows, and Crash! everything
	is halted. Then I jump to the debugger, sync discs and reboot my box.
	Back to netbsd, and reading on /var/log/messages I can read these
	messages:
# grep -e WI_PCMCIA_ENABLE /var/log/messages
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 2
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 3
Apr 10 17:24:33 pl2 /netbsd: WI_PCMCIA_ENABLE: 4
Apr 10 17:24:34 pl2 /netbsd: WI_PCMCIA_ENABLE: 5
Apr 10 17:24:34 pl2 /netbsd: WI_PCMCIA_ENABLE: ALL DONE
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 2
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 3
Apr 10 17:25:25 pl2 /netbsd: WI_PCMCIA_ENABLE: 4
Apr 10 17:25:26 pl2 /netbsd: WI_PCMCIA_ENABLE: 5
Apr 10 17:25:26 pl2 /netbsd: WI_PCMCIA_ENABLE: ALL DONE
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 1
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 2
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 3
Apr 10 17:25:32 pl2 /netbsd: WI_PCMCIA_ENABLE: 4
Apr 10 17:26:02 pl2 /netbsd: WI_PCMCIA_ENABLE: 1

	As we can see. kernel jumps after 4 skipping 5 and all done steps.
	When this code runs again the first step. It breaks.

	The bt of ddb informs about it crashes here:

	Stopped in pid 489.2 (wistumbler2) at netbsd:wi_pcmcia_enable+0x92:cmpl $0,0x219c(%ebx)

	Yeah, ugly memory pointer I supose.
	
>Fix:
	Patch patch patch :) This file I supose.
	
>Release-Note:
>Audit-Trail:
>Unformatted: