Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Oct 2016 07:21:07 +0000 (UTC)
From:      Alexander Motin <mav@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r308122 - stable/11/sys/cam/scsi
Message-ID:  <201610310721.u9V7L7Lg061476@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: mav
Date: Mon Oct 31 07:21:07 2016
New Revision: 308122
URL: https://svnweb.freebsd.org/changeset/base/308122

Log:
  MFC r307523: Make pass driver better support CAM_CDB_POINTER flag.
  
  Previously pass driver just ignored the flag, making random kernel code
  access user-space pointer, sometime causing crashes even for correctly
  written applications if user-level context was switched or swapped out.
  This patch tries to copyin the CDB into kernel space to avoid it.

Modified:
  stable/11/sys/cam/scsi/scsi_pass.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/cam/scsi/scsi_pass.c
==============================================================================
--- stable/11/sys/cam/scsi/scsi_pass.c	Mon Oct 31 05:58:11 2016	(r308121)
+++ stable/11/sys/cam/scsi/scsi_pass.c	Mon Oct 31 07:21:07 2016	(r308122)
@@ -1876,6 +1876,18 @@ passdoioctl(struct cdev *dev, u_long cmd
 			break;
 		}
 
+		if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
+			if (ccb->csio.cdb_len > IOCDBLEN) {
+				error = EINVAL;
+				break;
+			}
+			error = copyin(ccb->csio.cdb_io.cdb_ptr,
+			    ccb->csio.cdb_io.cdb_bytes, ccb->csio.cdb_len);
+			if (error)
+				break;
+			ccb->ccb_h.flags &= ~CAM_CDB_POINTER;
+		}
+
 		/*
 		 * Some CCB types, like scan bus and scan lun can only go
 		 * through the transport layer device.
@@ -2143,6 +2155,7 @@ passsendccb(struct cam_periph *periph, u
 {
 	struct pass_softc *softc;
 	struct cam_periph_map_info mapinfo;
+	uint8_t *cmd;
 	xpt_opcode fc;
 	int error;
 
@@ -2154,6 +2167,14 @@ passsendccb(struct cam_periph *periph, u
 	 */
 	xpt_merge_ccb(ccb, inccb);
 
+	if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
+		cmd = __builtin_alloca(ccb->csio.cdb_len);
+		error = copyin(ccb->csio.cdb_io.cdb_ptr, cmd, ccb->csio.cdb_len);
+		if (error)
+			return (error);
+		ccb->csio.cdb_io.cdb_ptr = cmd;
+	}
+
 	/*
 	 */
 	ccb->ccb_h.cbfcnp = passdone;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610310721.u9V7L7Lg061476>