Page MenuHomeFreeBSD
Differential D24487

Don't access a user buffer directly from the kernel.
ClosedPublic
Actions

Authored by jhb on Apr 18 2020, 7:41 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 18, 9:58 AM
Unknown Object (File)
Sun, Nov 16, 3:00 PM
Unknown Object (File)
Sun, Nov 16, 9:34 AM
Unknown Object (File)
Sat, Nov 15, 5:21 PM
Unknown Object (File)
Fri, Nov 14, 12:18 PM
Unknown Object (File)
Thu, Nov 13, 7:59 PM
Unknown Object (File)
Thu, Nov 13, 5:00 PM
Unknown Object (File)
Thu, Nov 13, 3:41 PM
View All 82 Files
Subscribers
imp
jrtc27

Details

Reviewers
kib
brooks
Commits
rS360171: Don't access a user buffer directly from the kernel.
Summary

The handle_string callback for the ENCIOC_SETSTRING ioctl was passing a
user pointer to memcpy(). Fix by using copyin() instead.

For ENCIOC_GETSTRING ioctls, the handler was storing the user pointer
in a CCB's data_ptr field where it was indirected by other code. Fix
this by allocating a temporary buffer (which ENCIOC_SETSTRING already
did) and copying the result out to the user buffer after the CCB has
been processed.

Test Plan
  • compile tested only

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 30590
Build 28331: arc lint + arc unit

Event Timeline

jhb created this revision.Apr 18 2020, 7:41 PM
Harbormaster completed remote builds in B30590: Diff 70744.Apr 18 2020, 7:41 PM
jhb added a comment.Apr 18 2020, 7:42 PM

This was found by CheriBSD where user and kernel pointers are different types so generate compile errors, but SMAP should have caught this one at runtime I think.

jrtc27 added a subscriber: jrtc27.Apr 18 2020, 8:00 PM
jrtc27 added inline comments.
sys/cam/scsi/scsi_enc_ses.c
2909

You need to free buf on this error path.

kib accepted this revision.Apr 18 2020, 10:42 PM

Modulo the free() note.

This revision is now accepted and ready to land.Apr 18 2020, 10:42 PM
jhb marked an inline comment as done.Apr 21 2020, 5:46 PM
Closed by commit rS360171: Don't access a user buffer directly from the kernel. (authored by jhb). · Explain WhyApr 21 2020, 5:47 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rS360171: Don't access a user buffer directly from the kernel..
Herald added a subscriber: imp. · View Herald TranscriptApr 21 2020, 5:47 PM

Revision Contents
Changeset List

PathSize
sys/
cam/
scsi/
10 lines

Diff 70744

View Options

sys/cam/scsi/scsi_enc_ses.c

Loading...