Project

General

Profile

Actions

Bug #14561

closed

fwflash -l on ufm without known PCI device id crashes

Added by Robert Mustacchi 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Category:
cmd - userland programs
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

I recently was on a system and ran fwflash -l and found a bit of a surprise:

rm@remus ~ $ pfexec fwflash -l
Segmentation Fault

Digging in:

$ pfexec mdb /usr/sbin/fwflash 
> ::run -l
mdb: stop on SIGSEGV
mdb: target stopped at:
libc_hwcap2.so.1`strlen+0xb:    cmpb   $0x0,(%eax)
mdb: You've got symbols!
Loading modules: [ ld.so.1 libumem.so.1 libc.so.1 libnvpair.so.1 libuutil.so.1 libavl.so.1 ]
> $C
0803a478 libc_hwcap2.so.1`strlen+0xb(2, 51a3, fea035fd, 803a4b0, 18, 0)
0803a4d8 ufm.so`ufmfw_fill_vpd+0x19f(9a2df28, 9996ab8, 9a2df60, 0)
0803b148 ufm.so`ufmfw_di_walk_cb+0x2e0(9996ab8, 803b1d0, 803b198)
0803b168 libdevinfo.so.1`walk_one_node+0x2c(803b198, 0, 803b1d0, fea01ced)
0803b1b8 libdevinfo.so.1`di_walk_node+0x7c(9992458, 0, 803b1d0, fea01ced)
0803b1e8 ufm.so`fw_identify+0x6d(0, 80541c4, 8de1548, feb204c0, 8053c2e, 1)
0803b228 flash_device_list+0x10c()
0803b258 main+0x1ad(fed29377, feda35c8)
0803b298 _start_crt+0x9a(2, 803b2bc, f324401f, 0, 0, 0)
0803b2b0 _start+0x1a(2, 803b394, 803b39c, 0, 803b39f, 803b3af)
> 9a2df28::print struct devicelist
{
    access_devname = 0x8de3f88 "/devices/pci@0,0/pci1022,1483@1,1/pci1344,4000@0" 
    drvname = 0x9a2ff08 "ufm" 
    classname = 0x9a2ffd8 "ufm" 
    ident = 0x8dd9fb8
    index = 0
    addresses = [ 0x9a2df60 "/pci@0,0/pci1022,1483@1,1/pci1344,4000@0", 0, 0, 0 ]
    plugin = 0
    nextdev = {
        tqe_next = 0
        tqe_prev = 0
    }
}
> ufmfw_fill_vpd+0x19f::dis
ufm.so`ufmfw_fill_vpd+0x177:    je     +0xbe    <ufm.so`ufmfw_fill_vpd+0x23b>
ufm.so`ufmfw_fill_vpd+0x17d:    movl   0xc(%esi),%edx
ufm.so`ufmfw_fill_vpd+0x180:    movl   %eax,(%edx)
ufm.so`ufmfw_fill_vpd+0x182:    cmpl   $0x0,-0x20(%ebp)
ufm.so`ufmfw_fill_vpd+0x186:    je     +0xda    <ufm.so`ufmfw_fill_vpd+0x266>
ufm.so`ufmfw_fill_vpd+0x18c:    subl   $0xc,%esp
ufm.so`ufmfw_fill_vpd+0x18f:    pushl  -0x40(%ebp)
ufm.so`ufmfw_fill_vpd+0x192:    call   -0x584   <PLT=libpcidb.so.1`pcidb_device_name>
ufm.so`ufmfw_fill_vpd+0x197:    movl   %eax,(%esp)
ufm.so`ufmfw_fill_vpd+0x19a:    call   -0x59c   <PLT=libc_hwcap2.so.1`strdup>
ufm.so`ufmfw_fill_vpd+0x19f:    movl   %eax,-0x20(%ebp)
ufm.so`ufmfw_fill_vpd+0x1a2:    addl   $0x10,%esp
ufm.so`ufmfw_fill_vpd+0x1a5:    movl   -0x20(%ebp),%eax
ufm.so`ufmfw_fill_vpd+0x1a8:    testl  %eax,%eax
ufm.so`ufmfw_fill_vpd+0x1aa:    je     +0xd6    <ufm.so`ufmfw_fill_vpd+0x286>
ufm.so`ufmfw_fill_vpd+0x1b0:    movl   0xc(%esi),%edx
ufm.so`ufmfw_fill_vpd+0x1b3:    movl   %eax,0x4(%edx)
ufm.so`ufmfw_fill_vpd+0x1b6:    movl   $0x1,%eax
ufm.so`ufmfw_fill_vpd+0x1bb:    movl   -0x3c(%ebp),%ecx
ufm.so`ufmfw_fill_vpd+0x1be:    testl  %ecx,%ecx
ufm.so`ufmfw_fill_vpd+0x1c0:    je     -0x15e   <ufm.so`ufmfw_fill_vpd+0x68>
> 

This pointed out to us trying to strdup the device name, but looking at the code this is clearly foobar'd and unfortunately an uninitialized warning gagged. Here we're incorrectly using the dstr as the thing to determine whether or not to strdup itself, when we should be using dev. So instead we hit stack garbage and we're lucky that it ends this way.

Actions #1

Updated by Electric Monk 5 months ago

  • Gerrit CR set to 2064
Actions #2

Updated by Robert Mustacchi 5 months ago

With this in place, it now works. For example:

rm@remus ~ $ pfexec fwflash -l
List of available devices:
Device[0] /devices/pci@0,0/pci1022,1483@1,1/pci1344,4000@0
Class [ufm]
        Vendor: Micron Technology Inc
        Device: pci:51a3
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|-|a): 95420100
            Slot 1 (-|w|-): <empty>
            Slot 2 (-|w|-): <empty>

Device[1] /devices/pci@0,0/pci1022,1483@1,2/pci1344,4000@0
Class [ufm]
        Vendor: Micron Technology Inc
        Device: pci:51a2
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|-|a): 95420100
            Slot 1 (-|w|-): <empty>
            Slot 2 (-|w|-): <empty>

Device[2] /devices/pci@0,0/pci1022,1483@1,3/pci1b96,0@0
Class [ufm]
        Vendor: Western Digital
        Device: Ultrastar DC SN840 NVMe SSD
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|-|-): R2209200
            Slot 1 (-|w|a): R2210000
            Slot 2 (-|w|-): R2209200
            Slot 3 (-|w|-): R2209200

Device[3] /devices/pci@0,0/pci1022,1483@1,4/pci1b96,0@0
Class [ufm]
        Vendor: Western Digital
        Device: Ultrastar DC SN840 NVMe SSD
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|-|-): R2209200
            Slot 1 (-|w|a): R2210000
            Slot 2 (-|w|-): R2209200
            Slot 3 (-|w|-): R2209200

Device[4] /devices/pci@0,0/pci1022,1483@3,3/pci126f,2262@0
Class [ufm]
        Vendor: Silicon Motion, Inc.
        Device: SM2262/SM2262EN SSD Controller
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|w|a): SS0411B 
            Slot 1 (-|w|-): SS0411B 

Device[5] /devices/pci@0,0/pci1022,1483@3,4/pci1344,2100@0
Class [ufm]
        Vendor: Micron Technology Inc
        Device: pci:51a3
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|-|a): 95420100
            Slot 1 (-|w|-): <empty>
            Slot 2 (-|w|-): <empty>

Device[6] /devices/pci@76,0/pci1022,1483@1,1/pci144d,a813@0
Class [ufm]
        Vendor: Samsung Electronics Co Ltd
        Device: NVMe SSD Controller PM9A1/PM9A3/980PRO
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|-|a): GDA5402Q
            Slot 1 (-|w|-): <empty>
            Slot 2 (-|w|-): <empty>

Device[7] /devices/pci@76,0/pci1022,1483@1,2/pci8086,8008@0
Class [ufm]
        Vendor: Intel Corporation
        Device: NVMe DC SSD [3DNAND, Sentinel Rock Controller]
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|w|a): JCV10023
            Slot 1 (-|w|-): <empty>
            Slot 2 (-|w|-): <empty>
            Slot 3 (-|w|-): <empty>

Device[8] /devices/pci@af,0/pci1022,1483@1,1/pci1425,0@0,4
Class [ufm]
        Vendor: Chelsio Communications Inc
        Device: T62100-SO-CR Unified Wire Ethernet Controller
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (r|w|a): 1.26.4.0

Device[9] /devices/pci@af,0/pci1022,1483@3,2/pci1b96,0@0
Class [ufm]
        Vendor: Western Digital
        Device: Ultrastar DC SN840 NVMe SSD
        Capabilities: Report
        Image 0: Firmware
            Slot 0 (-|-|-): R2210000
            Slot 1 (-|w|-): R2210000
            Slot 2 (-|w|-): R2210000
            Slot 3 (-|w|a): R2210000

Device[10] /devices/pci@af,0/pci1022,1483@3,5/pci1458,0@0
Class [ufm]
        Vendor: Intel Corporation
        Device: I350 Gigabit Network Connection
        Capabilities: Report, Read Image
        Image 0: NVM
            Slot 0 (r|w|a): 1.63
Actions #3

Updated by Electric Monk 5 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 499bc737cd392291f0c92dcebcb576970689f5d8

commit  499bc737cd392291f0c92dcebcb576970689f5d8
Author: Robert Mustacchi <rm@fingolfin.org>
Date:   2022-03-15T17:30:42.000Z

    14561 fwflash -l on ufm without known PCI device id crashes
    Reviewed by: Jason King <jason.brian.king@gmail.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Gordon Ross <gordon.w.ross@gmail.com>

Actions

Also available in: Atom PDF