Author: mav
Date: Mon Oct 31 07:21:37 2016
New Revision: 308123
URL: https://svnweb.freebsd.org/changeset/base/308123
Log:
MFC r307523: Make pass driver better support CAM_CDB_POINTER flag.
Previously pass driver just ignored the flag, making random kernel code
access user-space pointer, sometime causing crashes even for correctly
written applications if user-level context was switched or swapped out.
This patch tries to copyin the CDB into kernel space to avoid it.
Modified:
stable/10/sys/cam/scsi/scsi_pass.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/cam/scsi/scsi_pass.c
==============================================================================
--- stable/10/sys/cam/scsi/scsi_pass.c Mon Oct 31 07:21:07 2016
(r308122)
+++ stable/10/sys/cam/scsi/scsi_pass.c Mon Oct 31 07:21:37 2016
(r308123)
@@ -1881,6 +1881,18 @@ passdoioctl(struct cdev *dev, u_long cmd
break;
}
+ if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
+ if (ccb->csio.cdb_len > IOCDBLEN) {
+ error = EINVAL;
+ break;
+ }
+ error = copyin(ccb->csio.cdb_io.cdb_ptr,
+ ccb->csio.cdb_io.cdb_bytes, ccb->csio.cdb_len);
+ if (error)
+ break;
+ ccb->ccb_h.flags &= ~CAM_CDB_POINTER;
+ }
+
/*
* Some CCB types, like scan bus and scan lun can only go
* through the transport layer device.
@@ -2148,6 +2160,7 @@ passsendccb(struct cam_periph *periph, u
{
struct pass_softc *softc;
struct cam_periph_map_info mapinfo;
+ uint8_t *cmd;
xpt_opcode fc;
int error;
@@ -2159,6 +2172,14 @@ passsendccb(struct cam_periph *periph, u
*/
xpt_merge_ccb(ccb, inccb);
+ if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
+ cmd = __builtin_alloca(ccb->csio.cdb_len);
+ error = copyin(ccb->csio.cdb_io.cdb_ptr, cmd,
ccb->csio.cdb_len);
+ if (error)
+ return (error);
+ ccb->csio.cdb_io.cdb_ptr = cmd;
+ }
+
/*
*/
ccb->ccb_h.cbfcnp = passdone;
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
