From owner-freebsd-bugs@freebsd.org  Thu Jul 23 23:24:42 2015
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A7169A997E
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Thu, 23 Jul 2015 23:24:42 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0DDE51DC2
 for <freebsd-bugs@FreeBSD.org>; Thu, 23 Jul 2015 23:24:42 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t6NNOfbv015920
 for <freebsd-bugs@FreeBSD.org>; Thu, 23 Jul 2015 23:24:41 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 201611] [patch] Add devfs_get_cdevpriv_from_file(9)
Date: Thu, 23 Jul 2015 23:24:42 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: patch
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: aritger@nvidia.com
X-Bugzilla-Status: New
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-201611-8-S1c28WyvEa@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-201611-8@https.bugs.freebsd.org/bugzilla/>
References: <bug-201611-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 23:24:42 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201611

--- Comment #1 from Andy Ritger <aritger@nvidia.com> ---
Actually, for the driver to use devfs_get_cdevpriv_from_file(), as in:

    struct file *fp;
    struct driver_per_open *popen;

    fget(curthread, fd, &fp);

    devfs_get_cdevpriv_from_file(&popen, fp);

    /* use popen... */

    fdrop(fp, curthread);

someone would need to validate that the 'popen' was allocated by the driver. 
Otherwise, an attacker could open some other device file and pass that fd into
this code, tricking the driver into misinterpreting what
file::f_cdevpriv::cdpd_data points to.

I think this could be validated by comparing file::f_cdevpriv::cdpd_dtr to the
function pointer (cdevpriv_dtr_t) that was passed into devfs_set_cdevpriv(). 
Would it make sense for devfs_get_cdevpriv_from_file() to take a cdevpriv_dtr_t
as an argument?  Or is there a better way to structure this?

-- 
You are receiving this mail because:
You are the assignee for the bug.