Page MenuHomeFreeBSD

Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) 32-bit compat mode
ClosedPublic

Authored by brooks on Mar 11 2018, 5:07 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 24, 7:23 AM
Unknown Object (File)
Oct 28 2024, 7:00 AM
Unknown Object (File)
Oct 14 2024, 8:58 AM
Unknown Object (File)
Oct 3 2024, 2:48 PM
Unknown Object (File)
Sep 30 2024, 11:31 PM
Unknown Object (File)
Sep 27 2024, 10:11 AM
Unknown Object (File)
Sep 25 2024, 12:07 PM
Unknown Object (File)
Sep 23 2024, 2:35 PM
Subscribers
None

Details

Summary

These take a union ccb argument which is full of kernel pointers and was
not designed to be exposed to userspace. Substantial translation
efforts would be required to make this work. By rejecting the request
we avoid processing or returning entierly wrong data.

Sponsored by: DARPA, AFRL

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 15498
Build 15540: arc lint + arc unit

Event Timeline

brooks retitled this revision from Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4). to Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) 32-bit compat mode.Mar 11 2018, 5:09 PM
This revision is now accepted and ready to land.Mar 11 2018, 5:34 PM
markj added inline comments.
sys/cam/scsi/scsi_pass.c
1866

This distinction doesn't matter in practice, but shouldn't we be checking the flags from the "td" argument to passdoioct()?

  • Use SV_PROC_FLAG rather than SV_CURPROC_FLAG.
This revision now requires review to proceed.Mar 12 2018, 4:24 PM
This revision is now accepted and ready to land.Mar 12 2018, 4:26 PM

Yea, there's no way in hell this could possibly work now. Better to say so than to allow it. Not sure ENOTTY is the right error, but have no appetite to bikeshed on it.

This is fine. It would be an unusual situation in any case to have a 32-bit binary attempting to use these ioctls, since they are relatively new (late 2015 when they went in the tree).

For what it's worth, CAM was designed from the beginning with the idea that CCBs would be shared between userland and the kernel. All of the CDB filling routines (e.g. scsi_read_write(), scsi_inquiry(), etc.) and many others are available in userland and the kernel, so that you can write to much the same API in userland and in the kernel.

There are kernel pointers in there, though, and we might do things a little differently if we were doing it today.

This revision was automatically updated to reflect the committed changes.