From owner-freebsd-bugs@freebsd.org  Wed Jul  6 02:22:05 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05E48B20EA6
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Wed,  6 Jul 2016 02:22:05 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DFC6D1747
 for <freebsd-bugs@FreeBSD.org>; Wed,  6 Jul 2016 02:22:04 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u662M4IX053395
 for <freebsd-bugs@FreeBSD.org>; Wed, 6 Jul 2016 02:22:04 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 210864] ggatel(8) BIO_DELETE implementation is broken
Date: Wed, 06 Jul 2016 02:22:05 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: julian@hsiao.email
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-210864-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 02:22:05 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210864

            Bug ID: 210864
           Summary: ggatel(8) BIO_DELETE implementation is broken
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: julian@hsiao.email

md(4) simulates BIO_DELETE by writing zeros, and I infer ggatel(8) is
trying to do the same based on the code structure similarity. However, the
latter's implementation is actually broken. If
g_gate_ioctl(G_GATE_CMD_START, ...) returns with a BIO_DELETE request, only
gctl_length and gctl_offset are updated, and gctl_data still points to the
original buffer. ggatel(8) then proceeds to service BIO_DELETE as if it
were BIO_WRITE, so it writes "garbage" to disk, and (hopefully) EFAULT if
gctl_length is greater than gctl_data's actual length.

PoC:

# cd /tmp
# clang -x c -o bug - <<'BUG'
#include <assert.h>

#include <fcntl.h>
#include <sys/disk.h>
#include <sys/ioctl.h>

int main()
{
    const int fd =3D open("/dev/ggate0", O_RDWR | O_CLOEXEC | O_DIRECT);
    assert(fd !=3D -1);

    off_t ol[2] =3D { 40960, 4096 };
    assert(ioctl(fd, DIOCGDELETE, ol) !=3D -1);

    return(0);
}
BUG
# truncate -s 10m test
# ggatel create -s 4096 test
# dd if=3D/dev/zero   bs=3D4096 count=3D1 | LC_ALL=3DC tr '\0' '\252' |
  dd of=3D/dev/ggate0 bs=3D4096
# ./bug
# hexdump -C /dev/ggate0
00000000  aa aa aa aa aa aa aa aa  aa aa aa aa aa aa aa aa  |..............=
..|
*
00001000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |..............=
..|
*
0000a000  aa aa aa aa aa aa aa aa  aa aa aa aa aa aa aa aa  |..............=
..|
*
0000b000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |..............=
..|
*
00a00000

I'm not sure of the security implication of this bug, since to trigger the
bug directly requires elevated privileges. However, there may be clever
ways to trigger it by proxy.

IMHO, simulating BIO_DELETE by writing zeros is questionable, however not
everyone agrees[0]. That said, you can always use md(4) instead, so I
suggest ggatel(8) should just return EOPNOTSUPP for BIO_DELETE.

[0] http://thread.gmane.org/gmane.os.freebsd.devel.hackers/57688/focus=3D57=
689

--=20
You are receiving this mail because:
You are the assignee for the bug.=