From owner-freebsd-arch@freebsd.org Tue Aug 13 20:19:07 2019 Return-Path: Delivered-To: freebsd-arch@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 60751BB3E7 for ; Tue, 13 Aug 2019 20:19:07 +0000 (UTC) (envelope-from neerajpal09@gmail.com) Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 467PF71tfjz4L0g; Tue, 13 Aug 2019 20:19:07 +0000 (UTC) (envelope-from neerajpal09@gmail.com) Received: by mail-oi1-x243.google.com with SMTP id c15so14259967oic.3; Tue, 13 Aug 2019 13:19:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pgjbtF/BSZIUNkHhEAvNNK6E2/lp3qr++NM3eCBA9rY=; b=uGt0GpU1Wza+O9725ViJyafiqi40oXqd1egLf4qk60dJGBPdlEHUtnYB1nF/g9LDH2 LDRQB6/iAaImkvPcgkt8p8ENV4IfzeYPJOEwkxiVIMgidS6bw6epEXbTwm5dkeDj/lJe f67jpXUh91LFmZnM8IO2rR3fM8IUmOqVEz2ZXda+RHF3LMCJ4pnerv4tb8/skEcA44aM 1RwQS95yFTWhVT431kS2ZHDAO4nKhkW38KtcyyVygkpthcb59YxiudDf2mozs1Voc9ni Enlj5VMye5VtmjOFyNI//6uirweyJIDXg3sGTIZKFGbdRkmtw+kJFhXlDFvnuVtCf0YC oegg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pgjbtF/BSZIUNkHhEAvNNK6E2/lp3qr++NM3eCBA9rY=; b=Y+b239Q2ampZuHGVRyPT2jbf3RFEjwjEpQQ3IE9YiL0vNh8xcJ7b3H7g2rV92S/OEf izJqA8m3aIe+EqZnPO+WYdZsJuk38v9KVSPsiZeQVz+s3aqaPOYqnW/pqDYEAJSHjQzk UEFiNNdDBk7+KqMhN46O9jOb+LpMD3vdlwRZ8r17L1zOHYphviwGlL+ie179e4Xw/KSB EkZ9WatkrUVwWCzmN0QfSi8zBMfnAPbDXVOq+S1Km9ceDcAxjERbNv/0ebBEzXDtZtjv pWGghKpHRgFIWOmGkhZu6V6GnUeCk7sDy+Am5MUj/snJP34OFGtltrApaMXppxRrYpch c92Q== X-Gm-Message-State: APjAAAWk3mtwaWRnJ27SLYH/DlIHEA8cbbvp6VRZi7igPsPhG41o/8Jo DrDCnn7Wk5gsL9AF57MEJ854moAd1YvAkjBxq0A7+o4jpkU= X-Google-Smtp-Source: APXvYqyYvIdhpUYNBa4miAYo/O5+lYQ6z0O7/N/h6R1Z/BaRSG3muaq1v7rJ0yxZjkXtMg883dvW2pbJo+NIG776fzs= X-Received: by 2002:aca:d44f:: with SMTP id l76mr2740021oig.172.1565727545404; Tue, 13 Aug 2019 13:19:05 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Neeraj Pal Date: Wed, 14 Aug 2019 01:48:54 +0530 Message-ID: Subject: Re: Regarding the bug in FreeBSD kernel driver(s) To: Ian Lepore Cc: freebsd-arch@freebsd.org, Hans Petter Selasky Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 467PF71tfjz4L0g X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.985,0] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Aug 2019 20:19:07 -0000 Hi Ian, On Wed, Aug 14, 2019 at 1:39 AM Ian Lepore wrote: > > On Wed, 2019-08-14 at 01:10 +0530, Neeraj Pal wrote: > > Hi there, > > > > After discussing the issue with the security-team, I have posted it > > publicly. > > > > Please find the bug information given below with workaround diff: > > > > I have observed the "NULL pointer dereference" bug inside the FreeBSD > > kernel driver code due to which kernel gets in panic (or DOS) mode > > and then > > it has to reboot. > > > > Actually, this vulnerability resides in lots of kernel drivers like > > "uhub0", "ubt0", "umass0", "run0", "uhid0" etc. > > > > I have tested and observed the panic for following kernel drivers: > > > > - usb, > > - umass (storage), > > - ubt(bluetooth), > > - run0(wifi), > > - uhid > > > > [...] > > > > Please confirm and let me know if any other info required. > > > > It appears the problem is limited to usb devices, not all devices in > the system. It looks like the root of the NULL ivars problem is this > code from usb_device.c: > > if (device_probe_and_attach(iface->subdev) == 0) { > /* > * The USB attach arguments are only available during probe > * and attach ! > */ > uaa->temp_dev = NULL; > device_set_ivars(iface->subdev, NULL); > ... > > So once a device is attached the first time, its usb ivars are wiped > out. That code was surely written in a time before the devctl stuff > was added to allow disabling/enabling a device on the fly. I'm not > sure whether it will be easy to keep the ivar data around, but if so, I > think that would be the right fix. Yeah, as I informed it is only limited to usb devices, especially, those which are using struct usb_attach_arg with api device_get_ivar(9). > > The NULL pointer checks in the patches will prevent a kernel panic, but > don't really make devctl enable work properly. Speaking of devctl, you > don't need a program to test this, you can do it from the command line: > > devctl disable uhub2 > devctl enable uhub2 > And, yeah it will remove the panic and I verified the devctl after patching with the code and it seems working fine, like enabling and disabling. So, I attached the patch. Please feel free to modify it as per requirements. Yeah, you are right, but for the sack of PoC, I have modified the same devctl code to remove the unnecessary devctl commands. My initial test attempts were from command line only. -- Thank you! Sincere regards; Neeraj Pal