Author: jhb Date: Fri Apr 17 18:19:13 2020 New Revision: 360048 URL: https://svnweb.freebsd.org/changeset/base/360048
Log: Don't try to copyout() to a kernel buffer. The handle_string callback for the ENCIOC_GET_ENCNAME and ENCIOC_GETENCID ioctls tries to copy the size of the generated string out to userland. However, the callback only has access to the kernel copy of the structure populated by copyin(). The copyout() call simply overwrites the value in the kernel's copy preventing the subsequent overflow prevention logic from working. Fix this by instead doing a copyout() of the updated length in the caller after the callback returns. Reviewed by: kib Obtained from: CheriBSD Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D24456 Modified: head/sys/cam/scsi/scsi_enc.c head/sys/cam/scsi/scsi_enc_ses.c Modified: head/sys/cam/scsi/scsi_enc.c ============================================================================== --- head/sys/cam/scsi/scsi_enc.c Fri Apr 17 17:05:58 2020 (r360047) +++ head/sys/cam/scsi/scsi_enc.c Fri Apr 17 18:19:13 2020 (r360048) @@ -489,6 +489,10 @@ enc_ioctl(struct cdev *dev, u_long cmd, caddr_t arg_ad cam_periph_lock(periph); error = enc->enc_vec.handle_string(enc, &sstr, cmd); cam_periph_unlock(periph); + if (error == 0 || error == ENOMEM) + (void)copyout(&sstr.bufsiz, + &((encioc_string_t *)addr)->bufsiz, + sizeof(sstr.bufsiz)); break; case ENCIOC_GETELMSTAT: Modified: head/sys/cam/scsi/scsi_enc_ses.c ============================================================================== --- head/sys/cam/scsi/scsi_enc_ses.c Fri Apr 17 17:05:58 2020 (r360047) +++ head/sys/cam/scsi/scsi_enc_ses.c Fri Apr 17 18:19:13 2020 (r360048) @@ -2926,11 +2926,11 @@ ses_handle_string(enc_softc_t *enc, encioc_string_t *s vendor, product, rev) + 1; if (rsize > sizeof(str)) rsize = sizeof(str); - copyout(&rsize, &sstr->bufsiz, sizeof(rsize)); size = rsize; if (size > sstr->bufsiz) size = sstr->bufsiz; copyout(str, sstr->buf, size); + sstr->bufsiz = rsize; return (size == rsize ? 0 : ENOMEM); case ENCIOC_GETENCID: if (ses_cache->ses_nsubencs < 1) @@ -2940,11 +2940,11 @@ ses_handle_string(enc_softc_t *enc, encioc_string_t *s scsi_8btou64(enc_desc->logical_id)) + 1; if (rsize > sizeof(str)) rsize = sizeof(str); - copyout(&rsize, &sstr->bufsiz, sizeof(rsize)); size = rsize; if (size > sstr->bufsiz) size = sstr->bufsiz; copyout(str, sstr->buf, size); + sstr->bufsiz = rsize; return (size == rsize ? 0 : ENOMEM); default: return (EINVAL); _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
