- User Since
- Feb 11 2021, 9:59 PM (32 w, 4 d)
Sun, Sep 19
Sun, Sep 12
Sat, Sep 4
Handle oversized write buffer coming from zfs
Fri, Sep 3
Wed, Sep 1
Mon, Aug 30
Try to avoid out-of-bounds reads that can happen with other str*cpy functions.
My preferred fix would be to make all string buffers in https://github.com/freebsd/freebsd-src/blob/main/sys/geom/gate/g_gate.h#L118 NAME_MAX+1 and enforce the last byte to be the null terminator.
But that'd be a ioctl interface change and an ABI change? Frowned upon?
Also this mainly affects hastd, which I cannot test at the moment.
follow up in https://reviews.freebsd.org/D31722
Aug 29 2021
Aug 27 2021
Add test for ggatec to check handling of non-read/write request (e.g. trim).
Aug 25 2021
there's a rebase in https://github.com/bruelltuete/freebsd-src/commit/999394f2930d341b422a5421ff931dfb024eefc7, if that's easy to use (as a patch).
i dont actually know how to commit anything to src, never done that before.
do you commit via phabricator, like click a button here in the ui somewhere? does the patch in this review need to be updated?
the security patch has landed. do we still want the tests?
Aug 4 2021
Thanks for review and comments, everyone!
Aug 1 2021
I'm still on 12-stable with all my machines, and will not be able to upgrade for a few more months...
Yeah lots of stuff broken here. We can fix it all in a later patch. For now I really want to plug that remote code execution hole.
Jul 29 2021
change size check and fix typo
Jul 28 2021
Jul 27 2021
Maybe found another problem, this time with the ggate kernel module. I'm pretty unsure about some details, esp around ioctl, but here goes:
I think it's possible to craft ioctl with ggate to exfiltrate kernel memory.
While I have your attention here, can someone assign the bug reports linked in the description to email@example.com? Right now they are dangling assigned to nobody.
What do we want the test to verify? That the fixed version only supports reads and writes? That feels a bit limiting because adding bio_delete or bio_flush support looks pretty straight forward.
Re testing, it's easy to repro if you can generate a request that is not read or write. I don't know of a reliable way to do that. At the moment zpool-create does that... but only if the right sysctls are set?
And looking at https://github.com/freebsd/freebsd-src/blob/main/tests/sys/geom/class/gate/ggate_test.sh, I'm not sure what to make of that, it's not obvious whats going on with the tests...
Fix still relevant to current: https://github.com/freebsd/freebsd-src/blob/main/sbin/ggate/ggatec/ggatec.c
Apr 1 2021
I'm still working on this but it's really slow going rn, got very little time.
Mar 16 2021
Feb 22 2021
I think i've wrapped my head around dmap & friends... it makes things more complicated.
Will have to demote dmap mappings. If i try to encrypt user-mode pages first, i'll need to demote the dmap pages down from 1gb into 4k and set the c-bit for the small pages.
Same for trying to encrypt all pages. Will still have to demote dmap pages because of dma and the existing kernel text and preloaded module pages.
Feb 15 2021
hi kib, thanks for taking a look!
i'll try to figure out the dmap bits, thanks for the pointer.
Feb 14 2021