Date: Wed, 06 Jul 2016 02:22:05 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 210864] ggatel(8) BIO_DELETE implementation is broken Message-ID: <bug-210864-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210864 Bug ID: 210864 Summary: ggatel(8) BIO_DELETE implementation is broken Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: julian@hsiao.email md(4) simulates BIO_DELETE by writing zeros, and I infer ggatel(8) is trying to do the same based on the code structure similarity. However, the latter's implementation is actually broken. If g_gate_ioctl(G_GATE_CMD_START, ...) returns with a BIO_DELETE request, only gctl_length and gctl_offset are updated, and gctl_data still points to the original buffer. ggatel(8) then proceeds to service BIO_DELETE as if it were BIO_WRITE, so it writes "garbage" to disk, and (hopefully) EFAULT if gctl_length is greater than gctl_data's actual length. PoC: # cd /tmp # clang -x c -o bug - <<'BUG' #include <assert.h> #include <fcntl.h> #include <sys/disk.h> #include <sys/ioctl.h> int main() { const int fd =3D open("/dev/ggate0", O_RDWR | O_CLOEXEC | O_DIRECT); assert(fd !=3D -1); off_t ol[2] =3D { 40960, 4096 }; assert(ioctl(fd, DIOCGDELETE, ol) !=3D -1); return(0); } BUG # truncate -s 10m test # ggatel create -s 4096 test # dd if=3D/dev/zero bs=3D4096 count=3D1 | LC_ALL=3DC tr '\0' '\252' | dd of=3D/dev/ggate0 bs=3D4096 # ./bug # hexdump -C /dev/ggate0 00000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa |..............= ..| * 00001000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..............= ..| * 0000a000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa |..............= ..| * 0000b000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..............= ..| * 00a00000 I'm not sure of the security implication of this bug, since to trigger the bug directly requires elevated privileges. However, there may be clever ways to trigger it by proxy. IMHO, simulating BIO_DELETE by writing zeros is questionable, however not everyone agrees[0]. That said, you can always use md(4) instead, so I suggest ggatel(8) should just return EOPNOTSUPP for BIO_DELETE. [0] http://thread.gmane.org/gmane.os.freebsd.devel.hackers/57688/focus=3D57= 689 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-210864-8>