Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Jun 2003 22:29:17 -0700
From:      John-Mark Gurney <gurney_j@efn.org>
To:        Bruce Evans <bde@zeta.org.au>
Cc:        Robert Watson <rwatson@freebsd.org>
Subject:   Re: make /dev/pci really readable
Message-ID:  <20030617052917.GF73854@funkthat.com>
In-Reply-To: <20030617120956.N30677@gamplex.bde.org>
References:  <Pine.NEB.3.96L.1030616155956.8726C-100000@fledge.watson.org> <20030617120956.N30677@gamplex.bde.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Bruce Evans wrote this message on Tue, Jun 17, 2003 at 12:36 +1000:
> On Mon, 16 Jun 2003, Robert Watson wrote:
> 
> > On Mon, 16 Jun 2003, John-Mark Gurney wrote:
> >
> > > again, I just proposed -l, not -r to become user readable. I know that
> > > -r has problems.  I've crashed the sparc box a number of times by
> > > specifing pciconf -r pci1:5:0 0x0:0xf.
> 
> Yes, it seems that -l is fairly safe, and it wasn't the default just because
> no one wrote the small hack to change the permissions check for the -l case
> only.

Ok, sounds like most people agree on -l being readable...

> > > > odd use of useracc(), printf(), etc, in the ioctl code.  I suspect this
> > >
> > > well, do you mean odd use of printf as in providing diagnostics to catch
> > > mismatched userland/kernel?
> >
> > Spamming the console with messages can have debilitating effects on the
> > operation of the system if performed by unprivileged users...  I.e., if
> > you're using a serial console.
> 
> I.e., if you are using a console.  Spamming of syscons consoles messes them
> up too, and is more likely to cause panics since the syscons console output
> is less reentrant than sio console output.

I removed those printf's since they really didn't contain any information
more than the user already knew..

> > > for useracc, it checks to make sure that various pointers passed to it
> > > are either readable or writable.  I don't see this as odd.  Or is there
> > > another better method of checking user data when accessing user space
> > > buffers?
> >
> > Generally, calls to useracc() are redundant with the existing checks in
> > our copyin/out routines, or are signs that the proper routines aren't
> > being used.
> 
> useracc() can be used to "improve" error handling.  That is done here.
> The "improvements" include dangerous printf()s and returning the
> undocumented errno EACCES instead of the incompletely documented one EFAULT.

Doh, reminder, update documentation..  I'm going to let the copyout
error be returned.

> > All of the fuword/suword/copyin/copyout/uio routines already
> > perform any necessary checks; manual checking is race-prone in a
> > multi-threaded smp environment regardless.
> 
> Please check the error handling carefully if you remove the useracc()'s.
> The one for writing the results back to userland gets replaced by checks
> in copyout() for each part of the results.  I think we give up after the
> first copyout() error and return that error.  That seems right.

actually, we had a problem where if we tried to copy out, but failed,
we would still increment num_matches even though the last one was bogus..

> > The (cio==NULL) test is also
> > redundant.
> 
> It is just bogus.  cio is a kernel pointer and we need it to be more than
> non-NULL to access it.  sys_generic.c:ioctl() guarantees this provided
> the definition of PCICGETCONF is correct.
> 
> > It looks like (although I haven't tried), user processes can
> > also cause the kernel to allocate unlimited amounts of kernel memory,
> > which is another bit we probably need to tighten down.
> 
> Much more serious.

Yep, the pattern_buf is allocated, and in some cases a berak happens
w/o freeing it.  So there is a memory leak her. Will be fixed soon.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030617052917.GF73854>