Dev:Ciss: A kernel address leakage in sys/dev/ciss/ciss.c
Fuqian Huang
huangfq.daxian at gmail.com
Wed Jun 12 13:01:05 UTC 2019
In freebsd/sys/dev/ciss/ciss.c, function ciss_print_request will dump
the address of a kernel object cr to user space. Each time when a
device is detached, it will call
ciss_free->ciss_notify_abort->ciss_print_request, and this finally
dump a kernel address to user space.
static int
ciss_detach(device_t dev)
{
struct ciss_softc *sc = device_get_softc(dev);
...
ciss_free(sc);
return (0);
}
static void
ciss_free(struct ciss_softc *sc)
{
...
-> ciss_notify_abort(sc);
...
}
static int
ciss_notify_abort(struct ciss_softc *sc)
{
struct ciss_request *cr;
...
if ((error = ciss_get_request(sc, &cr))
goto out;
...
-> ciss_print_request(cr);
...
}
static void
ciss_print_request(struct ciss_request *cr)
{
struct ciss_softc *sc;
...
sc = cr->cr_sc;
...
-> ciss_printf(sc, "REQUEST @ %p\n", cr);
ciss_printf(sc, " data %p/%d tag %d flags %b\n",
cr->cr_data, cr->cr_length, cr->cr_tag, cr->cr_flags,
"\20\1mapped\2sleep\3poll\4dataout\5datain\n");
}
More information about the freebsd-hackers
mailing list