Page MenuHomeFreeBSD

Don't try to copyout() to a kernel buffer.
ClosedPublic

Authored by jhb on Apr 16 2020, 11:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Mar 19, 9:35 PM
Unknown Object (File)
Tue, Mar 19, 5:24 PM
Unknown Object (File)
Jan 14 2024, 4:27 AM
Unknown Object (File)
Dec 23 2023, 12:40 AM
Unknown Object (File)
Dec 15 2023, 4:36 AM
Unknown Object (File)
Sep 30 2023, 6:35 AM
Unknown Object (File)
Sep 25 2023, 11:36 PM
Unknown Object (File)
Sep 6 2023, 7:48 PM
Subscribers

Details

Summary

The handle_string callback for ENCIOC_GET_ENCNAME and ENCIOC_GETENCID
ioctls tries to copy the size of the actual string out to userland.
However, the callback only has access to the kernel copy of the
structure populated by copyin. The copyout() call simply overwrites
the value in the kernel's copy preventing the subsequent overflow
prevention logic from working (or faults if SMAP is enabled). Fix
this by instead doing a copyout() of the updated length in the caller
after the callback returns.

Test Plan
  • cam.ko compiles, no way to test

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This was found in CheriBSD where user space pointers and kernel pointers are currently different types.

sys/cam/scsi/scsi_enc_ses.c
2929 โ†—(On Diff #70667)

In the absence of SMAP, the effect of this was sstr->bufsiz = rsize which then defeats the bounds check 2 lines below.

kib added inline comments.
sys/cam/scsi/scsi_enc_ses.c
2929 โ†—(On Diff #70667)

I do not believe SMAP would make this fault.

In fact I am not aware of any technique that would allow such uses of copyin to fault and which are not prohibitively costly. For instance, if pti is enabled and PCID is functional, we could switch to user page tables there, but even then we need to map the kernel buffer.

This revision is now accepted and ready to land.Apr 16 2020, 11:56 PM

Oh right, SMAP just prevents the other type of confusion (direct access to userland)

This revision was automatically updated to reflect the committed changes.