tws_passthru() does a copyin of a user-specified request without
validating the length. This can only be exploited by root, however.
Details
Details
None. I have no way of testing this.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation). Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).
Comment Actions
I was wondering about that too. AFAIK there is no mechanism at the upper layers to serialize calls to the ioctl handler, so two threads can race here.
Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).
I don't own any hardware driven by tws. Any help on that front would be much appreciated.
Comment Actions
My last 9750 died a while ago. I'll ping Austin @ ix to see if he can rig up a system for us to test with.