svn commit: r330819 - head/sys/cam/scsi
Brooks Davis
brooks at FreeBSD.org
Mon Mar 12 22:58:08 UTC 2018
Author: brooks
Date: Mon Mar 12 22:58:07 2018
New Revision: 330819
URL: https://svnweb.freebsd.org/changeset/base/330819
Log:
Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) in 32-bit compat mode.
These take a union ccb argument which is full of kernel pointers.
Substantial translation efforts would be required to make this work.
By rejecting the request we avoid processing or returning entierly
wrong data.
Reviewed by: imp, ken, markj, cem
Obtained from: CheriBSD
MFC after: 1 week
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D14654
Modified:
head/sys/cam/scsi/scsi_pass.c
Modified: head/sys/cam/scsi/scsi_pass.c
==============================================================================
--- head/sys/cam/scsi/scsi_pass.c Mon Mar 12 22:17:14 2018 (r330818)
+++ head/sys/cam/scsi/scsi_pass.c Mon Mar 12 22:58:07 2018 (r330819)
@@ -30,6 +30,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_compat.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
@@ -45,6 +47,7 @@ __FBSDID("$FreeBSD$");
#include <sys/poll.h>
#include <sys/selinfo.h>
#include <sys/sdt.h>
+#include <sys/sysent.h>
#include <sys/taskqueue.h>
#include <vm/uma.h>
#include <vm/vm.h>
@@ -1859,6 +1862,12 @@ passdoioctl(struct cdev *dev, u_long cmd, caddr_t addr
union ccb **user_ccb, *ccb;
xpt_opcode fc;
+#ifdef COMPAT_FREEBSD32
+ if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
+ error = ENOTTY;
+ goto bailout;
+ }
+#endif
if ((softc->flags & PASS_FLAG_ZONE_VALID) == 0) {
error = passcreatezone(periph);
if (error != 0)
@@ -2033,6 +2042,12 @@ camioqueue_error:
struct pass_io_req *io_req;
int old_error;
+#ifdef COMPAT_FREEBSD32
+ if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
+ error = ENOTTY;
+ goto bailout;
+ }
+#endif
user_ccb = (union ccb **)addr;
old_error = 0;
More information about the svn-src-all
mailing list