Don't try to copyout() to a kernel buffer.
ClosedPublic
Actions

Authored by jhb on Apr 16 2020, 11:18 PM.

Details

Reviewers

mav
kib

Commits

rS360048: Don't try to copyout() to a kernel buffer.

Summary

The handle_string callback for ENCIOC_GET_ENCNAME and ENCIOC_GETENCID
ioctls tries to copy the size of the actual string out to userland.
However, the callback only has access to the kernel copy of the
structure populated by copyin. The copyout() call simply overwrites
the value in the kernel's copy preventing the subsequent overflow
prevention logic from working (or faults if SMAP is enabled). Fix
this by instead doing a copyout() of the updated length in the caller
after the callback returns.

Test Plan

cam.ko compiles, no way to test

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb created this revision.Apr 16 2020, 11:18 PM

Harbormaster completed remote builds in B30548: Diff 70667.Apr 16 2020, 11:18 PM

This was found in CheriBSD where user space pointers and kernel pointers are currently different types.

sys/cam/scsi/scsi_enc_ses.c
2929 ↗	(On Diff #70667)	In the absence of SMAP, the effect of this was `sstr->bufsiz = rsize` which then defeats the bounds check 2 lines below.

kib accepted this revision.Apr 16 2020, 11:56 PM

kib added inline comments.

sys/cam/scsi/scsi_enc_ses.c
2929 ↗	(On Diff #70667)	I do not believe SMAP would make this fault. In fact I am not aware of any technique that would allow such uses of copyin to fault and which are not prohibitively costly. For instance, if pti is enabled and PCID is functional, we could switch to user page tables there, but even then we need to map the kernel buffer.