freebsd-nq/sys/dev/pci
John Baldwin 74aa2d49d6 Don't directly dereference a user pointer in the VPD ioctl.
The PCIOCLISTVPD ioctl on /dev/pci is used to fetch a list of VPD
key-value pairs for a specific PCI function.  It is used by
'pciconf -l -V'.  The list is stored in a userland-supplied buffer as
an array of variable-length structures where the key and data length
are stored in a fixed-size header followed by the variable-length
value as a byte array.  To facilitate walking this array in userland,
<sys/pciio.h> provides a PVE_NEXT() helper macro to return a pointer
to the next array element by reading the the length out of the current
header and using it to compute the address of the next header.

To simplify the implementation, the ioctl handler was also using
PVE_NEXT() when on the user address of the user buffer to compute the
user address of the next array element.  However, the PVE_NEXT() macro
when used with a user address was reading the value's length by
indirecting the user pointer.  The value was ready after the current
record had been copied out to the user buffer, so it appeared to work
on architectures where user addresses are directly dereferencable from
the kernel (all but powerpc and i386 after the 4:4 split).  The recent
enablement of SMAP on amd64 caught this violation however.  To fix,
add a variant of PVE_NEXT() for use in the ioctl handler that takes an
explicit value length.

Reported by:	Jeffrey Pieper @ Intel
Reviewed by:	kib
Approved by:	re (gjb)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D16800
2018-08-31 16:10:01 +00:00
..
fixup_pci.c sys/dev: further adoption of SPDX licensing ID tags. 2017-11-27 14:52:40 +00:00
hostb_pci.c Add PCI methods to iterate over the PCI capabilities 2018-02-19 18:41:56 +00:00
ignore_pci.c sys/dev: further adoption of SPDX licensing ID tags. 2017-11-27 14:52:40 +00:00
isa_pci.c sys/dev: further adoption of SPDX licensing ID tags. 2017-11-27 14:52:40 +00:00
pci_host_generic_acpi.c ARM64: Add support for ThunderX2 PCIe 2018-07-09 08:55:07 +00:00
pci_host_generic_fdt.c If ofw_bus_msimap fails don't try to use the invalid MSI/MSI-X parent node. 2017-03-16 17:49:37 +00:00
pci_host_generic_fdt.h
pci_host_generic.c Fix build broken by r336130 2018-07-10 09:49:27 +00:00
pci_host_generic.h Remove redundant declarations. Newer gcc has a warning for these so will 2017-08-19 17:18:27 +00:00
pci_if.m Add PCI methods to iterate over the PCI capabilities 2018-02-19 18:41:56 +00:00
pci_iov_if.m
pci_iov_private.h
pci_iov_schema.c
pci_iov.c
pci_iov.h
pci_pci.c Only conform to PCIe spec of 1 device per bus on !x86 2018-05-30 22:39:41 +00:00
pci_private.h Add PCI methods to iterate over the PCI capabilities 2018-02-19 18:41:56 +00:00
pci_subr.c sys/dev: further adoption of SPDX licensing ID tags. 2017-11-27 14:52:40 +00:00
pci_user.c Don't directly dereference a user pointer in the VPD ioctl. 2018-08-31 16:10:01 +00:00
pci.c Rudimentary AER reading code for ddb(4). 2018-08-18 20:35:19 +00:00
pcib_if.m Create pcib_request_feature. 2017-02-25 06:11:36 +00:00
pcib_private.h sys/dev: further adoption of SPDX licensing ID tags. 2017-11-27 14:52:40 +00:00
pcib_support.c
pcireg.h sys/dev: further adoption of SPDX licensing ID tags. 2017-11-27 14:52:40 +00:00
pcivar.h Back out r338035 until Warner is finished churning GSoC PNP patches 2018-08-19 00:46:22 +00:00
schema_private.h
vga_pci.c Allow PCI VGA devices to be detached. 2018-05-03 22:51:44 +00:00