Dev:Ciss: A kernel address leakage in sys/dev/ciss/ciss.c

Fuqian Huang huangfq.daxian at gmail.com
Wed Jun 12 13:01:05 UTC 2019


In freebsd/sys/dev/ciss/ciss.c, function ciss_print_request will dump
the address of a kernel object cr to user space. Each time when a
device is detached, it will call
ciss_free->ciss_notify_abort->ciss_print_request, and this finally
dump a kernel address to user space.

static int
ciss_detach(device_t dev)
{
  struct ciss_softc   *sc = device_get_softc(dev);
  ...
  ciss_free(sc);
  return (0);
}

static void
ciss_free(struct ciss_softc *sc)
{
  ...
->  ciss_notify_abort(sc);
  ...
}

static int
ciss_notify_abort(struct ciss_softc *sc)
{
  struct ciss_request *cr;
  ...
  if ((error = ciss_get_request(sc, &cr))
    goto out;
  ...
->  ciss_print_request(cr);
  ...
}

static void
ciss_print_request(struct ciss_request *cr)
{
  struct ciss_softc   *sc;
  ...
  sc = cr->cr_sc;
  ...
->  ciss_printf(sc, "REQUEST @ %p\n", cr);
ciss_printf(sc, "  data %p/%d  tag %d  flags %b\n",
      cr->cr_data, cr->cr_length, cr->cr_tag, cr->cr_flags,
      "\20\1mapped\2sleep\3poll\4dataout\5datain\n");
}


More information about the freebsd-hackers mailing list