Page MenuHomeFreeBSD

Don't access userspace directly from the kernel in nxge(4).
ClosedPublic

Authored by brooks on Mar 25 2018, 6:48 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 25, 2:23 PM
Unknown Object (File)
Nov 19 2024, 2:38 AM
Unknown Object (File)
Nov 13 2024, 1:01 AM
Unknown Object (File)
Oct 31 2024, 4:35 AM
Unknown Object (File)
Oct 17 2024, 12:47 PM
Unknown Object (File)
Oct 2 2024, 7:23 AM
Unknown Object (File)
Oct 1 2024, 2:55 PM
Unknown Object (File)
Sep 25 2024, 5:39 AM
Subscribers

Details

Summary

The previous code was obviously wrong, the new code makes the same
accesses to userspace via the correct mechanism. xge_ioctl_registers()
has further obvious issues, but there seems to be little point in fixing
them.

Test Plan

it compiles...

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb added inline comments.
sys/dev/nxge/if_nxge.c
1377 ↗(On Diff #40733)

If this is the only use, I would actually prefer to kill 'data' entirely to avoid someone trying to use additional bytes and instead do something like:

char query;
...

query = fubyte(ifreqp->ifr_data);
if (query == -1)
     return (EFAULT);

switch (query) {

Also, I wonder if we should prefer fuebyte() in new code instead? (Maybe kib@ has an opinion on that)

1547 ↗(On Diff #40733)

The fact that it does copyout() already makes this function even more amusing.

This revision is now accepted and ready to land.Mar 26 2018, 5:28 PM
sys/dev/nxge/if_nxge.c
1377 ↗(On Diff #40733)

data is used later or I would have done that. We don't currently have fuebyte()

1547 ↗(On Diff #40733)

The strcmp() cases will certainly not trigger in most cases because option is a char[2] followed by an int64_t so there's garbage in the pad unless the did a bzero first.

This driver is best fixed with svn rm, but I'm changing ifr_data use so needed to do a little fixing.

Agreed that the driver is dubious at best. I'm not sure if it's even really used. I don't think it was a commodity part.

sys/dev/nxge/if_nxge.c
1506 ↗(On Diff #40733)

So this is the only place that uses 'data' and it is wrong (sizeof is wrong). I would probably fix this by not abusing data but just using a local 'char mode' and passing '&mode' to copyout().

  • Split data into cmd and mode to be more clear what is going on.
This revision now requires review to proceed.Mar 26 2018, 11:58 PM
brooks retitled this revision from Don't access userspace directly from the kernel. to Don't access userspace directly from the kernel in nxge(4)..Mar 27 2018, 8:05 PM
This revision was not accepted when it landed; it landed in state Needs Review.Mar 27 2018, 9:14 PM
This revision was automatically updated to reflect the committed changes.