From owner-freebsd-hackers@freebsd.org Thu Jun 13 02:54:59 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A40315C92D8 for ; Thu, 13 Jun 2019 02:54:59 +0000 (UTC) (envelope-from huangfq.daxian@gmail.com) Received: from mail-yb1-xb44.google.com (mail-yb1-xb44.google.com [IPv6:2607:f8b0:4864:20::b44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D25F96A67 for ; Thu, 13 Jun 2019 02:54:58 +0000 (UTC) (envelope-from huangfq.daxian@gmail.com) Received: by mail-yb1-xb44.google.com with SMTP id h17so2414682ybm.0 for ; Wed, 12 Jun 2019 19:54:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=y4Ewf1aCEXBlE6VJa4PxW0CyWV8AlbJVCvP1Mpa1foM=; b=NxahEAp3H6kjP+yCctqBbSH4OzKQuzOsfoHQ7Rh2NxKJ6o6VPtflo+D01Dnr5NMnwP K96mIdr7dVnuBv8zIQ3Pfxm5HL4h3UMbBGle4/EKhYEVNc+pv2Qbgwt50t34EQWySzMN yEAJdu2uyW2EyGSS6c4lazUhsk87oeyzCG+kVcqCoajVQfTHu8WivvvtEU05JbpQ7lq/ fKaiud3xMRdlgg24Ikj0H3HsJJVBZsF5ZAqU+8pNmaA4BDgp4HnJA9qn0PV3643u80AC ogiNb7ldSf2+W/NTL4sgwH2wtJVRCMjnOxtS72z9Mkvpo9VA3ehq4BF1Q9f8sf89xu/b 1eIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=y4Ewf1aCEXBlE6VJa4PxW0CyWV8AlbJVCvP1Mpa1foM=; b=hX0/+Nn2wMg/zhM4OlIPwYCc8EU9z17OLeCqClLn8PoMmZD2KFRAkWYfl7iQ+qhlRJ xYilKe/JxCERUB6Vr6RU/BlxdXApGk0wXAS8wZFt9CfRregOs6e7o/eMsjmhD97c5nN3 unh3UB+3mv5JBJI6Cr8i7bMCoVd9Gjtveb4EP1U/foaQUXUp6HkrZloAedr3iXnz7pLt AZiQ5ryW4ASSOk5wXXoohW2keT+lqU134ar935mfliTXVULBPGXJFRxHUqPLpJjJH44e TB4TBou40cs4oCdFZhawbNWfpNO/AXGEuiTJK6mrHTQvkinqTGmCXCiS/iLn4sM09BjF H2eA== X-Gm-Message-State: APjAAAUgIjW2SGFXMQZyVFY4cxd4mZ66OdGyrVkTgNliH5Ro5aqp+47/ VXIZ+8ERCVeKRcmavHrj5HlTxurC0G/+i3uXiAlFQQ== X-Google-Smtp-Source: APXvYqyNszGRrR5biyAOGV1QYFeAE/fJTfb0AVxijOolnCj8Bwtxio9n0ys2iLZQklPudazK6WP1Tb6PzwlQiTToxOE= X-Received: by 2002:a25:bd91:: with SMTP id f17mr41448396ybh.509.1560394497574; Wed, 12 Jun 2019 19:54:57 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Fuqian Huang Date: Thu, 13 Jun 2019 10:54:46 +0800 Message-ID: Subject: Re: Dev:Ciss: A kernel address leakage in sys/dev/ciss/ciss.c To: Warner Losh Cc: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 3D25F96A67 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=NxahEAp3; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of huangfqdaxian@gmail.com designates 2607:f8b0:4864:20::b44 as permitted sender) smtp.mailfrom=huangfqdaxian@gmail.com X-Spamd-Result: default: False [-4.04 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.76)[-0.756,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[4.4.b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-0.28)[ip: (4.14), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.31), country: US(-0.06)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jun 2019 02:54:59 -0000 But, why there will be no commands that are printed? 'cr' is get from ciss_get_request and 'cr->cr_data' is the result of malloc in ciss_notify_abort, and they are freed after the 'out' label. At the printing point, some address has been printed out. I know what you mean that this only happens when detaching the device. But it seems that some address is printed out before the free operation, and is it necessary to print the address? Warner Losh =E6=96=BC 2019=E5=B9=B46=E6=9C=8813=E6=97=A5= =E9=80=B1=E5=9B=9B =E4=B8=8A=E5=8D=885:51=E5=AF=AB=E9=81=93=EF=BC=9A > > > > On Wed, Jun 12, 2019 at 7:02 AM Fuqian Huang w= rote: >> >> In freebsd/sys/dev/ciss/ciss.c, function ciss_print_request will dump >> the address of a kernel object cr to user space. Each time when a >> device is detached, it will call >> ciss_free->ciss_notify_abort->ciss_print_request, and this finally >> dump a kernel address to user space. > > > This is, at best, a theoretical concern. ciss_detach isn't called except = when detaching the device. This only happens if you are unloading the modul= e or using devctl to detach it. Second, the bit you chopped out of ciss_det= ach ensure that the controller isn't open. Close is only called when there'= s no pending requests from geom to the device, and we get called for the LA= ST close, meaning nothing else has it open. This means there will be no com= mands to abort when ciss_notify_abort() is called. Since there's no command= s to abort, there will be no commands that are printed, so no user address = will be disclosed. > > Having said that, do you have a test case that can trigger this? It would= be most unexpected indeed... > > Warner > >> >> static int >> ciss_detach(device_t dev) >> { >> struct ciss_softc *sc =3D device_get_softc(dev); >> ... >> ciss_free(sc); >> return (0); >> } >> >> static void >> ciss_free(struct ciss_softc *sc) >> { >> ... >> -> ciss_notify_abort(sc); >> ... >> } >> >> static int >> ciss_notify_abort(struct ciss_softc *sc) >> { >> struct ciss_request *cr; >> ... >> if ((error =3D ciss_get_request(sc, &cr)) >> goto out; >> ... >> -> ciss_print_request(cr); >> ... >> } >> >> static void >> ciss_print_request(struct ciss_request *cr) >> { >> struct ciss_softc *sc; >> ... >> sc =3D cr->cr_sc; >> ... >> -> ciss_printf(sc, "REQUEST @ %p\n", cr); >> ciss_printf(sc, " data %p/%d tag %d flags %b\n", >> cr->cr_data, cr->cr_length, cr->cr_tag, cr->cr_flags, >> "\20\1mapped\2sleep\3poll\4dataout\5datain\n"); >> } >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.or= g"