svn commit: r360048 - head/sys/cam/scsi

John Baldwin jhb at FreeBSD.org
Fri Apr 17 18:19:14 UTC 2020 

Author: jhb
Date: Fri Apr 17 18:19:13 2020
New Revision: 360048
URL: https://svnweb.freebsd.org/changeset/base/360048

Log:
  Don't try to copyout() to a kernel buffer.
  
  The handle_string callback for the ENCIOC_GET_ENCNAME and
  ENCIOC_GETENCID ioctls tries to copy the size of the generated string
  out to userland.  However, the callback only has access to the kernel
  copy of the structure populated by copyin().  The copyout() call
  simply overwrites the value in the kernel's copy preventing the
  subsequent overflow prevention logic from working.
  
  Fix this by instead doing a copyout() of the updated length in the
  caller after the callback returns.
  
  Reviewed by:	kib
  Obtained from:	CheriBSD
  Sponsored by:	DARPA
  Differential Revision:	https://reviews.freebsd.org/D24456

Modified:
  head/sys/cam/scsi/scsi_enc.c
  head/sys/cam/scsi/scsi_enc_ses.c

Modified: head/sys/cam/scsi/scsi_enc.c
==============================================================================
--- head/sys/cam/scsi/scsi_enc.c	Fri Apr 17 17:05:58 2020	(r360047)
+++ head/sys/cam/scsi/scsi_enc.c	Fri Apr 17 18:19:13 2020	(r360048)
@@ -489,6 +489,10 @@ enc_ioctl(struct cdev *dev, u_long cmd, caddr_t arg_ad
 		cam_periph_lock(periph);
 		error = enc->enc_vec.handle_string(enc, &sstr, cmd);
 		cam_periph_unlock(periph);
+		if (error == 0 || error == ENOMEM)
+			(void)copyout(&sstr.bufsiz,
+			    &((encioc_string_t *)addr)->bufsiz,
+			    sizeof(sstr.bufsiz));
 		break;
 
 	case ENCIOC_GETELMSTAT:

Modified: head/sys/cam/scsi/scsi_enc_ses.c
==============================================================================
--- head/sys/cam/scsi/scsi_enc_ses.c	Fri Apr 17 17:05:58 2020	(r360047)
+++ head/sys/cam/scsi/scsi_enc_ses.c	Fri Apr 17 18:19:13 2020	(r360048)
@@ -2926,11 +2926,11 @@ ses_handle_string(enc_softc_t *enc, encioc_string_t *s
 		    vendor, product, rev) + 1;
 		if (rsize > sizeof(str))
 			rsize = sizeof(str);
-		copyout(&rsize, &sstr->bufsiz, sizeof(rsize));
 		size = rsize;
 		if (size > sstr->bufsiz)
 			size = sstr->bufsiz;
 		copyout(str, sstr->buf, size);
+		sstr->bufsiz = rsize;
 		return (size == rsize ? 0 : ENOMEM);
 	case ENCIOC_GETENCID:
 		if (ses_cache->ses_nsubencs < 1)
@@ -2940,11 +2940,11 @@ ses_handle_string(enc_softc_t *enc, encioc_string_t *s
 		    scsi_8btou64(enc_desc->logical_id)) + 1;
 		if (rsize > sizeof(str))
 			rsize = sizeof(str);
-		copyout(&rsize, &sstr->bufsiz, sizeof(rsize));
 		size = rsize;
 		if (size > sstr->bufsiz)
 			size = sstr->bufsiz;
 		copyout(str, sstr->buf, size);
+		sstr->bufsiz = rsize;
 		return (size == rsize ? 0 : ENOMEM);
 	default:
 		return (EINVAL);

More information about the svn-src-all mailing list