Page MenuHomeFreeBSD
Differential D18536

Add bounds checking to the tws(4) passthrough ioctl handler.
ClosedPublic
Actions

Authored by markj on Dec 12 2018, 11:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 15, 1:11 AM
Unknown Object (File)
Wed, Oct 15, 1:10 AM
Unknown Object (File)
Wed, Oct 15, 1:10 AM
Unknown Object (File)
Tue, Oct 14, 4:24 PM
Unknown Object (File)
Tue, Oct 14, 1:54 AM
Unknown Object (File)
Wed, Oct 8, 7:30 AM
Unknown Object (File)
Tue, Oct 7, 2:38 PM
Unknown Object (File)
Tue, Sep 30, 7:38 PM
View All Files
Subscribers
imp
jpaetzel

Details

Reviewers
delphij
emaste
Commits
rS342787: Add a bounds check to the tws(4) passthrough ioctl handler.
Summary

tws_passthru() does a copyin of a user-specified request without
validating the length. This can only be exploited by root, however.

Test Plan

None. I have no way of testing this.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Dec 12 2018, 11:40 PM
Harbormaster completed remote builds in B21527: Diff 51940.Dec 12 2018, 11:40 PM
markj edited the test plan for this revision. (Show Details)Dec 12 2018, 11:41 PM
markj added reviewers: delphij, emaste.
delphij accepted this revision.Dec 13 2018, 12:53 AM
delphij added a subscriber: jpaetzel.

LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation). Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).

This revision is now accepted and ready to land.Dec 13 2018, 12:53 AM
markj added a comment.Dec 13 2018, 1:02 AM
In D18536#395145, @delphij wrote:

LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation).

I was wondering about that too. AFAIK there is no mechanism at the upper layers to serialize calls to the ioctl handler, so two threads can race here.

Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).

I don't own any hardware driven by tws. Any help on that front would be much appreciated.

jpaetzel added a comment.Dec 13 2018, 4:02 PM
In D18536#395145, @delphij wrote:

LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation). Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).

My last 9750 died a while ago. I'll ping Austin @ ix to see if he can rig up a system for us to test with.

markj added a comment.Jan 4 2019, 6:42 PM
In D18536#395272, @jpaetzel wrote:
In D18536#395145, @delphij wrote:

LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation). Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).

My last 9750 died a while ago. I'll ping Austin @ ix to see if he can rig up a system for us to test with.

Ping?

jpaetzel added a comment.Jan 4 2019, 6:44 PM
In D18536#400013, @markj wrote:
In D18536#395272, @jpaetzel wrote:
In D18536#395145, @delphij wrote:

LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation). Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).

My last 9750 died a while ago. I'll ping Austin @ ix to see if he can rig up a system for us to test with.

Ping?

I haven't been deemed worthy of a reply, so I guess that's a no.

delphij added a comment.Jan 4 2019, 6:57 PM
In D18536#400014, @jpaetzel wrote:
In D18536#400013, @markj wrote:
In D18536#395272, @jpaetzel wrote:
In D18536#395145, @delphij wrote:

LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation). Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).

My last 9750 died a while ago. I'll ping Austin @ ix to see if he can rig up a system for us to test with.

Ping?

I haven't been deemed worthy of a reply, so I guess that's a no.

Thanks, let's land the change then.

markj added a comment.Jan 4 2019, 6:58 PM
In D18536#400015, @delphij wrote:
In D18536#400014, @jpaetzel wrote:
In D18536#400013, @markj wrote:
In D18536#395272, @jpaetzel wrote:
In D18536#395145, @delphij wrote:

LGTM (the unlocked use of sc->ioctl_data_mem looks worrisome to me, but the proposed change won't worsen the situation). Do you have a chance to test this on real hardware? (@jpaetzel do you know someone who may be able to help with that?).

My last 9750 died a while ago. I'll ping Austin @ ix to see if he can rig up a system for us to test with.

Ping?

I haven't been deemed worthy of a reply, so I guess that's a no.

Thanks, let's land the change then.

Yeah, it's simple enough that I'm not too worried.

Closed by commit rS342787: Add a bounds check to the tws(4) passthrough ioctl handler. (authored by markj). · Explain WhyJan 5 2019, 3:28 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: imp. · View Herald TranscriptJan 5 2019, 3:28 PM

Revision Contents
Changeset List

PathSize
head/
sys/
dev/
tws/
8 lines

Diff 52588

View Options

head/sys/dev/tws/tws_user.c

Loading...