Date: Thu, 13 Jun 2019 10:54:46 +0800 From: Fuqian Huang <huangfq.daxian@gmail.com> To: Warner Losh <imp@bsdimp.com> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Dev:Ciss: A kernel address leakage in sys/dev/ciss/ciss.c Message-ID: <CABXRUiQ30KkP0fjYVrJCaLgCM4uPOOS1RShF6p9TDd58ZDhF3w@mail.gmail.com> In-Reply-To: <CANCZdfoJH4y4aOZ459rarUX7L6Fd==24YGHPidEdEMrbOuAbhw@mail.gmail.com> References: <CABXRUiTJAxRWdTsBP5K-5axAV-EZO0ddxhStwWGDDWoi7Hwsww@mail.gmail.com> <CANCZdfoJH4y4aOZ459rarUX7L6Fd==24YGHPidEdEMrbOuAbhw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
But, why there will be no commands that are printed?
'cr' is get from ciss_get_request and 'cr->cr_data' is the result of
malloc in ciss_notify_abort, and they are freed after the 'out' label.
At the printing point, some address has been printed out.
I know what you mean that this only happens when detaching the device.
But it seems that some address is printed out before the free
operation, and is it necessary to print the address?
Warner Losh <imp@bsdimp.com> =E6=96=BC 2019=E5=B9=B46=E6=9C=8813=E6=97=A5=
=E9=80=B1=E5=9B=9B =E4=B8=8A=E5=8D=885:51=E5=AF=AB=E9=81=93=EF=BC=9A
>
>
>
> On Wed, Jun 12, 2019 at 7:02 AM Fuqian Huang <huangfq.daxian@gmail.com> w=
rote:
>>
>> In freebsd/sys/dev/ciss/ciss.c, function ciss_print_request will dump
>> the address of a kernel object cr to user space. Each time when a
>> device is detached, it will call
>> ciss_free->ciss_notify_abort->ciss_print_request, and this finally
>> dump a kernel address to user space.
>
>
> This is, at best, a theoretical concern. ciss_detach isn't called except =
when detaching the device. This only happens if you are unloading the modul=
e or using devctl to detach it. Second, the bit you chopped out of ciss_det=
ach ensure that the controller isn't open. Close is only called when there'=
s no pending requests from geom to the device, and we get called for the LA=
ST close, meaning nothing else has it open. This means there will be no com=
mands to abort when ciss_notify_abort() is called. Since there's no command=
s to abort, there will be no commands that are printed, so no user address =
will be disclosed.
>
> Having said that, do you have a test case that can trigger this? It would=
be most unexpected indeed...
>
> Warner
>
>>
>> static int
>> ciss_detach(device_t dev)
>> {
>> struct ciss_softc *sc =3D device_get_softc(dev);
>> ...
>> ciss_free(sc);
>> return (0);
>> }
>>
>> static void
>> ciss_free(struct ciss_softc *sc)
>> {
>> ...
>> -> ciss_notify_abort(sc);
>> ...
>> }
>>
>> static int
>> ciss_notify_abort(struct ciss_softc *sc)
>> {
>> struct ciss_request *cr;
>> ...
>> if ((error =3D ciss_get_request(sc, &cr))
>> goto out;
>> ...
>> -> ciss_print_request(cr);
>> ...
>> }
>>
>> static void
>> ciss_print_request(struct ciss_request *cr)
>> {
>> struct ciss_softc *sc;
>> ...
>> sc =3D cr->cr_sc;
>> ...
>> -> ciss_printf(sc, "REQUEST @ %p\n", cr);
>> ciss_printf(sc, " data %p/%d tag %d flags %b\n",
>> cr->cr_data, cr->cr_length, cr->cr_tag, cr->cr_flags,
>> "\20\1mapped\2sleep\3poll\4dataout\5datain\n");
>> }
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.or=
g"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXRUiQ30KkP0fjYVrJCaLgCM4uPOOS1RShF6p9TDd58ZDhF3w>