kern/58051: ccd(4) sysctl()s abused the api

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/58051: ccd(4) sysctl()s abused the api
From: paul%whooppee.com@localhost
Date: Tue, 19 Mar 2024 01:40:00 +0000 (UTC)

>Number:         58051
>Category:       kern
>Synopsis:       ccd(4) sysctl()s abused the api
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 19 01:40:00 +0000 2024
>Originator:     Paul Goyette
>Release:        NetBSD 10.99.10
>Organization:
+---------------------+--------------------------+----------------------+
| Paul Goyette (.sig) | PGP Key fingerprint:     | E-mail addresses:    |
| (Retired)           | 1B11 1849 721C 56C8 F63A | paul%whooppee.com@localhost    |
| Software Developer  | 6E2E 05FD 15CE 9F2D 5102 | pgoyette%netbsd.org@localhost  |
| & Network Engineer  |                          | pgoyette99%gmail.com@localhost |
+---------------------+--------------------------+----------------------+
>Environment:
	
	
System: NetBSD speedy.whooppee.com 10.99.10 NetBSD 10.99.10 (SPEEDY 2024-03-18 02:46:01 UTC) #0: Mon Mar 18 05:00:00 UTC 2024 paul%speedy.whooppee.com@localhost:/build/netbsd-local/obj/amd64/sys/arch/amd64/compile/SPEEDY amd64
Architecture: x86_64
Machine: amd64
>Description:
	The ccd(4) sysctl()s mistreat the newp argument as an index
	to select a device unit.  On amd64 this results in an SMAP
	access error and panic's the machine.
	
>How-To-Repeat:
	Configure a ccd(4) then try ``ccdconfig -g''.
>Fix:
	The following works around the problem.  The correct solution
	would need a rewrite of ccd(4)'s sysctl() code.

Index: ccd.c
===================================================================
RCS file: /cvsroot/src/sys/dev/ccd.c,v
retrieving revision 1.189
diff -u -p -r1.189 ccd.c
--- ccd.c     28 Mar 2022 12:48:35 -0000      1.189
+++ ccd.c     5 Mar 2024 20:17:50 -0000
@@ -1772,13 +1772,14 @@ ccd_info_sysctl(SYSCTLFN_ARGS)
 	struct sysctlnode node;
 	struct ccddiskinfo ccd;
 	struct ccd_softc *sc;
-	int unit;
+	int unit, error;
  
 	if (newp == NULL || newlen != sizeof(int))
 		return EINVAL;
 
-	unit = *(const int *)newp;
-	newp = NULL;
+	error = sysctl_copyin(l, newp, &unit, sizeof unit);
+	if (error)
+		return error;
 	newlen = 0;
 	ccd.ccd_ndisks = ~0;
 	mutex_enter(&ccd_lock);
@@ -1816,8 +1817,9 @@ ccd_components_sysctl(SYSCTLFN_ARGS)
 		return EINVAL;
 
 	size = 0;
-	unit = *(const int *)newp;
-	newp = NULL;
+	error = sysctl_copyin(l, newp, &unit, sizeof unit);
+	if (error)
+		return error;
 	newlen = 0;
 	mutex_enter(&ccd_lock);
 	LIST_FOREACH(sc, &ccds, sc_link)


>Unformatted:

Prev by Date: Re: kern/58050 (ccd(4) allocates memory at inopportune moments, crashes)
Next by Date: xsrc/58052: Xorg/intel resumes to text mode
Previous by Thread: Re: kern/58050 (ccd(4) allocates memory at inopportune moments, crashes)
Next by Thread: xsrc/58052: Xorg/intel resumes to text mode
Indexes:

Home | Main Index | Thread Index | Old Index