From nobody Wed Oct 27 17:38:46 2021 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 220AA182DCBD; Wed, 27 Oct 2021 17:38:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HfbX65NZjz4fnR; Wed, 27 Oct 2021 17:38:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 67398143C6; Wed, 27 Oct 2021 17:38:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19RHckt7057712; Wed, 27 Oct 2021 17:38:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19RHckeP057711; Wed, 27 Oct 2021 17:38:46 GMT (envelope-from git) Date: Wed, 27 Oct 2021 17:38:46 GMT Message-Id: <202110271738.19RHckeP057711@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Jessica Clarke Subject: git: f350bc1dd368 - main - ada: Fix intra-object buffer overread of identify strings List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrtc27 X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f350bc1dd368a3024ba9ef2a9e8431fc1edd8094 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=f350bc1dd368a3024ba9ef2a9e8431fc1edd8094 commit f350bc1dd368a3024ba9ef2a9e8431fc1edd8094 Author: Jessica Clarke AuthorDate: 2021-10-24 18:48:59 +0000 Commit: Jessica Clarke CommitDate: 2021-10-27 17:38:37 +0000 ada: Fix intra-object buffer overread of identify strings In the ATA/ATAPI spec these are space-padded fixed-length strings with no NUL-terminator (and byte swapped). When performing the identify we call ata_param_fixup to swap the bytes back to be in order, strip any leading/trailing spaces and coalesce consecutive spaces, padding with NULs. However, if the input has no padding spaces, the fixed-up strings are still not NUL-terminated. This causes two issues. The first is that strlcpy will truncate the string by replacing the final byte with a NUL. The second is that strlcpy will keep reading src until it finds a NUL in order to calculate the return value, which is defined as the length of src (so that callers can then compare it with the dsize input to see if the input string was truncated), thereby reading past the end of the buffer and into whatever adjacent fields are in the structure. In practice there's a NUL byte somewhere in the structure, but on CHERI with subobject bounds enabled in the compiler this overread will be detected and trap as a bounds violation. Note this matches ata_xpt's aprobedone, which does a bcopy to a malloc'ed buffer and manually NUL-terminates it for the CAM path's device's serial_num. Found by: CHERI Reviewed by: imp, scottl Differential Revision: https://reviews.freebsd.org/D32567 --- sys/cam/ata/ata_da.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/sys/cam/ata/ata_da.c b/sys/cam/ata/ata_da.c index 72bbbfe8ab1f..c05a9fa49d1c 100644 --- a/sys/cam/ata/ata_da.c +++ b/sys/cam/ata/ata_da.c @@ -3424,6 +3424,7 @@ adasetgeom(struct ada_softc *softc, struct ccb_getdev *cgd) u_int64_t lbasize48; u_int32_t lbasize; u_int maxio, d_flags; + size_t tmpsize; dp->secsize = ata_logical_sector_size(&cgd->ident_data); if ((cgd->ident_data.atavalid & ATA_FLAG_54_58) && @@ -3487,10 +3488,25 @@ adasetgeom(struct ada_softc *softc, struct ccb_getdev *cgd) softc->flags |= ADA_FLAG_UNMAPPEDIO; } softc->disk->d_flags = d_flags; - strlcpy(softc->disk->d_descr, cgd->ident_data.model, - MIN(sizeof(softc->disk->d_descr), sizeof(cgd->ident_data.model))); - strlcpy(softc->disk->d_ident, cgd->ident_data.serial, - MIN(sizeof(softc->disk->d_ident), sizeof(cgd->ident_data.serial))); + + /* + * ata_param_fixup will strip trailing padding spaces and add a NUL, + * but if the field has no padding (as is common for serial numbers) + * there will still be no NUL terminator. We cannot use strlcpy, since + * it keeps reading src until it finds a NUL in order to compute the + * return value (and will truncate the final character due to having a + * single dsize rather than separate ssize and dsize), and strncpy does + * not add a NUL to the destination if it reaches the character limit. + */ + tmpsize = MIN(sizeof(softc->disk->d_descr) - 1, + sizeof(cgd->ident_data.model)); + memcpy(softc->disk->d_descr, cgd->ident_data.model, tmpsize); + softc->disk->d_descr[tmpsize] = '\0'; + + tmpsize = MIN(sizeof(softc->disk->d_ident) - 1, + sizeof(cgd->ident_data.serial)); + memcpy(softc->disk->d_ident, cgd->ident_data.serial, tmpsize); + softc->disk->d_ident[tmpsize] = '\0'; softc->disk->d_sectorsize = softc->params.secsize; softc->disk->d_mediasize = (off_t)softc->params.sectors *