Author: brooks Date: Mon Mar 12 22:58:07 2018 New Revision: 330819 URL: https://svnweb.freebsd.org/changeset/base/330819
Log: Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) in 32-bit compat mode. These take a union ccb argument which is full of kernel pointers. Substantial translation efforts would be required to make this work. By rejecting the request we avoid processing or returning entierly wrong data. Reviewed by: imp, ken, markj, cem Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14654 Modified: head/sys/cam/scsi/scsi_pass.c Modified: head/sys/cam/scsi/scsi_pass.c ============================================================================== --- head/sys/cam/scsi/scsi_pass.c Mon Mar 12 22:17:14 2018 (r330818) +++ head/sys/cam/scsi/scsi_pass.c Mon Mar 12 22:58:07 2018 (r330819) @@ -30,6 +30,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_compat.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/kernel.h> @@ -45,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include <sys/poll.h> #include <sys/selinfo.h> #include <sys/sdt.h> +#include <sys/sysent.h> #include <sys/taskqueue.h> #include <vm/uma.h> #include <vm/vm.h> @@ -1859,6 +1862,12 @@ passdoioctl(struct cdev *dev, u_long cmd, caddr_t addr union ccb **user_ccb, *ccb; xpt_opcode fc; +#ifdef COMPAT_FREEBSD32 + if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { + error = ENOTTY; + goto bailout; + } +#endif if ((softc->flags & PASS_FLAG_ZONE_VALID) == 0) { error = passcreatezone(periph); if (error != 0) @@ -2033,6 +2042,12 @@ camioqueue_error: struct pass_io_req *io_req; int old_error; +#ifdef COMPAT_FREEBSD32 + if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { + error = ENOTTY; + goto bailout; + } +#endif user_ccb = (union ccb **)addr; old_error = 0; _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
