From owner-freebsd-arch@freebsd.org Tue Aug 13 20:09:03 2019 Return-Path: Delivered-To: freebsd-arch@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AC991BB00A for ; Tue, 13 Aug 2019 20:09:03 +0000 (UTC) (envelope-from ian@freebsd.org) Received: from outbound2m.ore.mailhop.org (outbound2m.ore.mailhop.org [54.149.155.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 467P1W2FR0z4KRw for ; Tue, 13 Aug 2019 20:09:02 +0000 (UTC) (envelope-from ian@freebsd.org) ARC-Seal: i=1; a=rsa-sha256; t=1565726941; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=Bw51gDIrozopex5ItFHQJPckSNCnzJVUscqlOMhCB5APAL+ey1VMGK7RKYtPzTQQjVdxEWMaQxZms dNJLoSmShnyslothtoshBypDd8XtsjIuS3mb+1WPYaK9qiSJeJvNS0p/gjrMHZBupVxNLEQtmWkfpG wIKOsVwqNg25YTvD8By+7ZtfHxvpjgt6zqrIhBbiIVZPDyxg60GV9DjsvxckPM0YCvam7zn2uz7YQy RNV0UiwuquyG+Ubq613YUT0q8v8Oi89RM+OcuzsSEVWH9xnsw0KgWHtmXHDAI8eJA5oH9EpSEMi4kB hmDPArVNxXA9uPFbHy2FNKF5z/QdyeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-transfer-encoding:mime-version:content-type:references:in-reply-to: date:cc:to:from:subject:message-id:dkim-signature:from; bh=n6tMl5rNL6RKnd/gbflS6y6IWsXZt8teB/NsgrJqErk=; b=QrISt8KkpbvJWfJDwG3pNvAFoe0LnH6ObBTcPs6thN3zfT/wrEEN2IXc6r3sPMj6crt6MojOVAtmf g0HX/2JUIZfY1QEenNzEUbWtl7ldduaXmZ/+V/IFi2KJWs03JszBAO380fs4EdGb1KgZ8I+rk8+FZy OpJkCEZynKAIVrr55S6exis1pfi28b5cfcxyy/roAMeUGjucGLlHzOCEHxAxC3cHSB4hQ0DDNzDnax DCI2m1KZLaaeHSAKa+4S1VBHBEiQiLTDNiwiKH0alyemyAFCd626xe6NtkbRvbPlTB+fZkZDItMDbK 7Gb7z0i9g2RewyBWTyqALY5u8CBvztg== ARC-Authentication-Results: i=1; outbound4.ore.mailhop.org; spf=softfail smtp.mailfrom=freebsd.org smtp.remote-ip=67.177.211.60; dmarc=none header.from=freebsd.org; arc=none header.oldest-pass=0; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-transfer-encoding:mime-version:content-type:references:in-reply-to: date:cc:to:from:subject:message-id:from; bh=n6tMl5rNL6RKnd/gbflS6y6IWsXZt8teB/NsgrJqErk=; b=FgGF4LiBefF+GtLZUGmdBsUQz06ZwPXQfHCdKznZij32DDZJK4EKx1j89EYby3C5C5i3nuFU42uSe 8zdyQMCdethCbksakZ+QXL3d5ZqkxiZMrr54DT2QdNHLr9NATk5kQl3KyWNUGZwAmj4joAX9hNU2gH T/vwkfxsiuHfoDtrciuD4aa7nU9/qxIm1+/x1H+fpm+iXJs9S42FWMOcgjxrZyZwic1Z6TaBnnGFcr T1GIyEDWw2+fGqW+S6BQAkKbNRjcYsXOVk6k3JwthBx3dZElC1Ii0tC+sWCmfD2ImvvYDnjp7+DOei 2TnESTI7eW8qUk4Urju7/2MgiIZ8wXw== X-MHO-RoutePath: aGlwcGll X-MHO-User: 2f8a8ba3-be06-11e9-85ec-13b9aae3a1d2 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 67.177.211.60 X-Mail-Handler: DuoCircle Outbound SMTP Received: from ilsoft.org (unknown [67.177.211.60]) by outbound4.ore.mailhop.org (Halon) with ESMTPSA id 2f8a8ba3-be06-11e9-85ec-13b9aae3a1d2; Tue, 13 Aug 2019 20:09:00 +0000 (UTC) Received: from rev (rev [172.22.42.240]) by ilsoft.org (8.15.2/8.15.2) with ESMTP id x7DK8wZt050891; Tue, 13 Aug 2019 14:08:58 -0600 (MDT) (envelope-from ian@freebsd.org) Message-ID: Subject: Re: Regarding the bug in FreeBSD kernel driver(s) From: Ian Lepore To: Neeraj Pal , freebsd-arch@freebsd.org Cc: Hans Petter Selasky Date: Tue, 13 Aug 2019 14:08:58 -0600 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 FreeBSD GNOME Team Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 467P1W2FR0z4KRw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.983,0]; ASN(0.00)[asn:16509, ipnet:54.148.0.0/15, country:US] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Aug 2019 20:09:03 -0000 On Wed, 2019-08-14 at 01:10 +0530, Neeraj Pal wrote: > Hi there, > > After discussing the issue with the security-team, I have posted it > publicly. > > Please find the bug information given below with workaround diff: > > I have observed the "NULL pointer dereference" bug inside the FreeBSD > kernel driver code due to which kernel gets in panic (or DOS) mode > and then > it has to reboot. > > Actually, this vulnerability resides in lots of kernel drivers like > "uhub0", "ubt0", "umass0", "run0", "uhid0" etc. > > I have tested and observed the panic for following kernel drivers: > > - usb, > - umass (storage), > - ubt(bluetooth), > - run0(wifi), > - uhid > > [...] > > Please confirm and let me know if any other info required. > It appears the problem is limited to usb devices, not all devices in the system. It looks like the root of the NULL ivars problem is this code from usb_device.c: if (device_probe_and_attach(iface->subdev) == 0) { /* * The USB attach arguments are only available during probe * and attach ! */ uaa->temp_dev = NULL; device_set_ivars(iface->subdev, NULL); ... So once a device is attached the first time, its usb ivars are wiped out. That code was surely written in a time before the devctl stuff was added to allow disabling/enabling a device on the fly. I'm not sure whether it will be easy to keep the ivar data around, but if so, I think that would be the right fix. The NULL pointer checks in the patches will prevent a kernel panic, but don't really make devctl enable work properly. Speaking of devctl, you don't need a program to test this, you can do it from the command line: devctl disable uhub2 devctl enable uhub2 -- Ian