From owner-freebsd-hackers@freebsd.org Wed Jun 12 21:51:54 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C54D15C2B9D for ; Wed, 12 Jun 2019 21:51:54 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5C0BD8EC46 for ; Wed, 12 Jun 2019 21:51:53 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-qt1-x836.google.com with SMTP id z24so7014976qtj.10 for ; Wed, 12 Jun 2019 14:51:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IHX6q6EL4PE01N4FF6E7UZlIvkC/Klw5xpXONy0dEqo=; b=U7aNrfWu8OIJ2TPkszwUPcMu0wi/lXcUmBbQcJzcO3gnDeLRWtIBAodMRgTNDmUyII b3VfmxHcfefe+uxM4joUky6xU/zBjYJ1iYCbqbCtFV1EAKrCcCk2VpJbUNUKH4Ui+uyd h5miu1jtm74Wa3iCpIIRTfFUEsV7DZqVE/6vFcI+kM75jAxvECMcmgJ+iq5hYo7nzeqM W8uFK0MIdj7wWnXPlVUPLvneLHoOKg1V98rENl4EYDJD7PiY+yP6KYj35DOmgCXUJT3G duxoYUUJWHEZI1A2mrcp4GJ9zLQ1OjnCtb/VagtaOOH+IiRLLCypldTvV2HxQ+sVl0iZ LyLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IHX6q6EL4PE01N4FF6E7UZlIvkC/Klw5xpXONy0dEqo=; b=MNGvBu/t57y0qtzIA1F5W8B/7ocLLLYoc+bXHsI6PYtzG5S1S+lUDB7CNRYVWTN5XO 1AejupuxWoMWCdhyan9Gpj048lLcV69IJH89P/EpO7tsF/thYNW8lAeFfecu3YtyXtHd /cXRQTPA8dnAHfR9P+wyaqkzCdurFK71gb07mnUcYPqgLH6m40B42ZgsO618MytSIVWH hq2NXJc+f1SZVJwEPNxv5gW2zOg+qkvG+KZlz+W5n2BgYdC0VLAHyZTPIW9vJey4duo2 mBZpz/I7L1gryEmgi32v7Czv+u8T5mwampQK06p2VEmTPL/x1Q9oj5zIuc8rNhCbM/om wpTA== X-Gm-Message-State: APjAAAW4W/Qcmn3j67CyDRQrXhI6v5wksFdcxjKk9a/0SlKg9c+Eq7XX AuI0CgbJ8Fnk5eZQXhnbg/stq8w/d7Qder5H2XXTzw== X-Google-Smtp-Source: APXvYqzaUycQN0Gng/T/WLZA4/NhfpHZjdhABdDb4H1lYrix2SLqUZsl67LSZqELrhgbIMAvADWsAYEMSypP+gJ6x5Q= X-Received: by 2002:aed:3e1d:: with SMTP id l29mr59029491qtf.175.1560376312459; Wed, 12 Jun 2019 14:51:52 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Warner Losh Date: Wed, 12 Jun 2019 15:51:41 -0600 Message-ID: Subject: Re: Dev:Ciss: A kernel address leakage in sys/dev/ciss/ciss.c To: Fuqian Huang Cc: "freebsd-hackers@freebsd.org" X-Rspamd-Queue-Id: 5C0BD8EC46 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bsdimp-com.20150623.gappssmtp.com header.s=20150623 header.b=U7aNrfWu X-Spamd-Result: default: False [-5.94 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[bsdimp-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[cached: ALT1.aspmx.l.google.com]; FORGED_SENDER(0.30)[imp@bsdimp.com,wlosh@bsdimp.com]; FREEMAIL_TO(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[imp@bsdimp.com,wlosh@bsdimp.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[bsdimp-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_SHORT(-0.97)[-0.967,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[bsdimp.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[6.3.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-2.97)[ip: (-9.30), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.30), country: US(-0.06)] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jun 2019 21:51:54 -0000 On Wed, Jun 12, 2019 at 7:02 AM Fuqian Huang wrote: > In freebsd/sys/dev/ciss/ciss.c, function ciss_print_request will dump > the address of a kernel object cr to user space. Each time when a > device is detached, it will call > ciss_free->ciss_notify_abort->ciss_print_request, and this finally > dump a kernel address to user space. > This is, at best, a theoretical concern. ciss_detach isn't called except when detaching the device. This only happens if you are unloading the module or using devctl to detach it. Second, the bit you chopped out of ciss_detach ensure that the controller isn't open. Close is only called when there's no pending requests from geom to the device, and we get called for the LAST close, meaning nothing else has it open. This means there will be no commands to abort when ciss_notify_abort() is called. Since there's no commands to abort, there will be no commands that are printed, so no user address will be disclosed. Having said that, do you have a test case that can trigger this? It would be most unexpected indeed... Warner > static int > ciss_detach(device_t dev) > { > struct ciss_softc *sc = device_get_softc(dev); > ... > ciss_free(sc); > return (0); > } > > static void > ciss_free(struct ciss_softc *sc) > { > ... > -> ciss_notify_abort(sc); > ... > } > > static int > ciss_notify_abort(struct ciss_softc *sc) > { > struct ciss_request *cr; > ... > if ((error = ciss_get_request(sc, &cr)) > goto out; > ... > -> ciss_print_request(cr); > ... > } > > static void > ciss_print_request(struct ciss_request *cr) > { > struct ciss_softc *sc; > ... > sc = cr->cr_sc; > ... > -> ciss_printf(sc, "REQUEST @ %p\n", cr); > ciss_printf(sc, " data %p/%d tag %d flags %b\n", > cr->cr_data, cr->cr_length, cr->cr_tag, cr->cr_flags, > "\20\1mapped\2sleep\3poll\4dataout\5datain\n"); > } > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >