Date: Wed, 12 Jun 2019 21:00:52 +0800 From: Fuqian Huang <huangfq.daxian@gmail.com> To: freebsd-hackers@freebsd.org Subject: Dev:Ciss: A kernel address leakage in sys/dev/ciss/ciss.c Message-ID: <CABXRUiTJAxRWdTsBP5K-5axAV-EZO0ddxhStwWGDDWoi7Hwsww@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
In freebsd/sys/dev/ciss/ciss.c, function ciss_print_request will dump
the address of a kernel object cr to user space. Each time when a
device is detached, it will call
ciss_free->ciss_notify_abort->ciss_print_request, and this finally
dump a kernel address to user space.
static int
ciss_detach(device_t dev)
{
struct ciss_softc *sc = device_get_softc(dev);
...
ciss_free(sc);
return (0);
}
static void
ciss_free(struct ciss_softc *sc)
{
...
-> ciss_notify_abort(sc);
...
}
static int
ciss_notify_abort(struct ciss_softc *sc)
{
struct ciss_request *cr;
...
if ((error = ciss_get_request(sc, &cr))
goto out;
...
-> ciss_print_request(cr);
...
}
static void
ciss_print_request(struct ciss_request *cr)
{
struct ciss_softc *sc;
...
sc = cr->cr_sc;
...
-> ciss_printf(sc, "REQUEST @ %p\n", cr);
ciss_printf(sc, " data %p/%d tag %d flags %b\n",
cr->cr_data, cr->cr_length, cr->cr_tag, cr->cr_flags,
"\20\1mapped\2sleep\3poll\4dataout\5datain\n");
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXRUiTJAxRWdTsBP5K-5axAV-EZO0ddxhStwWGDDWoi7Hwsww>