Page MenuHomeFreeBSD
Differential D24487

Don't access a user buffer directly from the kernel.
ClosedPublic
Actions

Authored by jhb on Apr 18 2020, 7:41 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 22 2024, 7:58 PM
Unknown Object (File)
Dec 31 2023, 1:25 AM
Unknown Object (File)
Dec 20 2023, 4:40 AM
Unknown Object (File)
Oct 12 2023, 5:57 AM
Unknown Object (File)
Sep 23 2023, 1:29 AM
Unknown Object (File)
Sep 17 2023, 8:54 AM
Unknown Object (File)
Sep 7 2023, 3:43 PM
Unknown Object (File)
Sep 7 2023, 3:41 PM
View All 17 Files
Subscribers
imp
jrtc27

Details

Reviewers
kib
brooks
Commits
rS360171: Don't access a user buffer directly from the kernel.
Summary

The handle_string callback for the ENCIOC_SETSTRING ioctl was passing a
user pointer to memcpy(). Fix by using copyin() instead.

For ENCIOC_GETSTRING ioctls, the handler was storing the user pointer
in a CCB's data_ptr field where it was indirected by other code. Fix
this by allocating a temporary buffer (which ENCIOC_SETSTRING already
did) and copying the result out to the user buffer after the CCB has
been processed.

Test Plan
  • compile tested only

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Apr 18 2020, 7:41 PM
Harbormaster completed remote builds in B30590: Diff 70744.Apr 18 2020, 7:41 PM
jhb added a comment.Apr 18 2020, 7:42 PM

This was found by CheriBSD where user and kernel pointers are different types so generate compile errors, but SMAP should have caught this one at runtime I think.

jrtc27 added a subscriber: jrtc27.Apr 18 2020, 8:00 PM
jrtc27 added inline comments.
sys/cam/scsi/scsi_enc_ses.c
2909 ↗(On Diff #70744)

You need to free buf on this error path.

kib accepted this revision.Apr 18 2020, 10:42 PM

Modulo the free() note.

This revision is now accepted and ready to land.Apr 18 2020, 10:42 PM
jhb marked an inline comment as done.Apr 21 2020, 5:46 PM
Closed by commit rS360171: Don't access a user buffer directly from the kernel. (authored by jhb). · Explain WhyApr 21 2020, 5:47 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rS360171: Don't access a user buffer directly from the kernel..
Herald added a subscriber: imp. · View Herald TranscriptApr 21 2020, 5:47 PM

Revision Contents
Changeset List

PathSize
head/
sys/
cam/
scsi/
12 lines

Diff 70849

View Options

head/sys/cam/scsi/scsi_enc_ses.c

Loading...