[Bug 201611] [patch] Add devfs_get_cdevpriv_from_file(9)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Jul 23 23:24:42 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201611
--- Comment #1 from Andy Ritger <aritger at nvidia.com> ---
Actually, for the driver to use devfs_get_cdevpriv_from_file(), as in:
struct file *fp;
struct driver_per_open *popen;
fget(curthread, fd, &fp);
devfs_get_cdevpriv_from_file(&popen, fp);
/* use popen... */
fdrop(fp, curthread);
someone would need to validate that the 'popen' was allocated by the driver.
Otherwise, an attacker could open some other device file and pass that fd into
this code, tricking the driver into misinterpreting what
file::f_cdevpriv::cdpd_data points to.
I think this could be validated by comparing file::f_cdevpriv::cdpd_dtr to the
function pointer (cdevpriv_dtr_t) that was passed into devfs_set_cdevpriv().
Would it make sense for devfs_get_cdevpriv_from_file() to take a cdevpriv_dtr_t
as an argument? Or is there a better way to structure this?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list