Date: Fri, 07 Sep 2018 13:11:46 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 231221] graphics/drm-devel-kmod: Make sure to allow only appropriate ioctl requests Message-ID: <bug-231221-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231221 Bug ID: 231221 Summary: graphics/drm-devel-kmod: Make sure to allow only appropriate ioctl requests Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: jmd@freebsd.org Reporter: sghctoma@gmail.com Assignee: jmd@freebsd.org Flags: maintainer-feedback?(jmd@freebsd.org) Attachment #196939 text/plain mime type: Created attachment 196939 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D196939&action= =3Dedit Patch to reject inappropriate ioctls with EINVAL Overview -- The drm_ioctl function (drivers/gpu/drm/drm_ioctl.c#783) uses DRM_IOCTL_NR(= cmd) to determine which ioctl should be called, but it does not check if cmd is actually a valid ioctl for the driver. Steps to Reproduce -- I was trying to determine if a given file descriptor belongs to a drm or an input device, for which I was using two ioctl requests: IOCGVERSION and DRM_IOCTL_VERSION. I expected requesting IOCGVERSION from a drm device would return EINVAL, but it returns 0. This simple PoC demonstrates this behavior: #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/ioctl.h> #include <dev/evdev/input.h> int main(int argc, char** argv) { int fd =3D open("/dev/drm/0", O_RDONLY); int dummy =3D -1; int ret =3D ioctl(fd, EVIOCGVERSION, &dummy); printf("ret=3D%d, err=3D%s, dummy=3D%d\n", ret, strerror(errno), du= mmy); } Actual Results -- The above program shows that requesting EVIOCGVERSION from a drm device succeeds: [0x00 ~]$ cc test2.c -o test2 [0x00 ~]$ ./test2 ret=3D0, err=3DNo error: 0, dummy=3D0 Expected Results -- The expected result would be a failed ioctl call: [0x00 ~]$ ./test2 ret=3D-1, err=3DInvalid argument, dummy=3D-1 Patch -- This problem exists because DRM_IOCTL_NR(EVIOCGVERSION) =3D 1, therefore drm_ioctl will use DRM_IOCTL_GET_UNIQUE (because DRM_IOCTL_NR(DRM_IOCTL_GET_UNIQUE) is also 1). The drm_ioctl.c in base comp= ares IOCGROUP(cmd) with DRM_IOCTL_BASE, and returns -EINVAL if they differ. I ha= ve copied that comparison to the patch attached. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231221-7788>