Page MenuHomeFreeBSD
Differential D24487

Don't access a user buffer directly from the kernel.
ClosedPublic
Actions

Authored by jhb on Apr 18 2020, 7:41 PM.
Tags
None
Referenced Files
F112201722: D24487.diff
Fri, Mar 14, 6:23 AM
Unknown Object (File)
Feb 2 2025, 1:05 PM
Unknown Object (File)
Jan 30 2025, 3:03 AM
Unknown Object (File)
Jan 25 2025, 12:36 PM
Unknown Object (File)
Jan 25 2025, 10:02 AM
Unknown Object (File)
Jan 23 2025, 5:47 PM
Unknown Object (File)
Dec 12 2024, 9:47 AM
Unknown Object (File)
Dec 10 2024, 8:03 PM
View All 47 Files
Subscribers
imp
jrtc27

Details

Reviewers
kib
brooks
Commits
rS360171: Don't access a user buffer directly from the kernel.
Summary

The handle_string callback for the ENCIOC_SETSTRING ioctl was passing a
user pointer to memcpy(). Fix by using copyin() instead.

For ENCIOC_GETSTRING ioctls, the handler was storing the user pointer
in a CCB's data_ptr field where it was indirected by other code. Fix
this by allocating a temporary buffer (which ENCIOC_SETSTRING already
did) and copying the result out to the user buffer after the CCB has
been processed.

Test Plan
  • compile tested only

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 30590
Build 28331: arc lint + arc unit

Event Timeline

jhb created this revision.Apr 18 2020, 7:41 PM
Harbormaster completed remote builds in B30590: Diff 70744.Apr 18 2020, 7:41 PM
jhb added a comment.Apr 18 2020, 7:42 PM

This was found by CheriBSD where user and kernel pointers are different types so generate compile errors, but SMAP should have caught this one at runtime I think.

jrtc27 added a subscriber: jrtc27.Apr 18 2020, 8:00 PM
jrtc27 added inline comments.
sys/cam/scsi/scsi_enc_ses.c
2909

You need to free buf on this error path.

kib accepted this revision.Apr 18 2020, 10:42 PM

Modulo the free() note.

This revision is now accepted and ready to land.Apr 18 2020, 10:42 PM
jhb marked an inline comment as done.Apr 21 2020, 5:46 PM
Closed by commit rS360171: Don't access a user buffer directly from the kernel. (authored by jhb). · Explain WhyApr 21 2020, 5:47 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rS360171: Don't access a user buffer directly from the kernel..
Herald added a subscriber: imp. · View Herald TranscriptApr 21 2020, 5:47 PM

Revision Contents
Changeset List

PathSize
sys/
cam/
scsi/
10 lines

Diff 70744

View Options

sys/cam/scsi/scsi_enc_ses.c

Loading...