266115 – bad use of user pointer in cam_ioctl() CTL_PORT_REQ

Bug 266115 - bad use of user pointer in cam_ioctl() CTL_PORT_REQ

Summary: bad use of user pointer in cam_ioctl() CTL_PORT_REQ

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Alexander Motin

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-08-30 15:52 UTC by Robert Morris
Modified:	2022-09-14 17:29 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Morris 2022-08-30 15:52:41 UTC

In cam/ctl.c, ctl_ioctl(), for CTL_PORT_REQ, if user code passes in a
non-null req->result_nvl, but a null req->result, and fe->ioctl is
zero, then ctl_ioctl() calls nvlist_destroy() with the user-supplied
req->result_nvl.

Here's a demo:

int main() {
  int fd = open("/dev/cam/ctl", 2);
  char buf[256];
  memset(buf, 0, sizeof(buf));
  strcpy(buf, "camtgt"); // driver
  *(unsigned long long *)(buf+72) = 0x8000000000000000; // result_nvl
  ioctl(fd, 0xc100e126, buf); // CTL_PORT_REQ
}

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #40 main-n250928-b8170f38ccc7-dirty: Mon Aug 29 13:09:55 EDT 2022     rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc x.c
# ./a.out
panic: Fatal page fault at 0xffffffc0000a9b16: 0x8000000000000000
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x8000000000000000
nvlist_destroy() at nvlist_destroy+0x10
ctl_ioctl() at ctl_ioctl+0x183a
devfs_ioctl() at devfs_ioctl+0xbe
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x30
VOP_IOCTL() at VOP_IOCTL+0x36
vn_ioctl() at vn_ioctl+0xba
devfs_ioctl_f() at devfs_ioctl_f+0x20
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

Comment 1 Robert Morris 2022-08-31 15:15:40 UTC

Similarly, for a CTL_LUN_REQ ioctl, if the user program sets backend[]
to "block", lun_req->result_nvl to e.g. 0x8000000000000000, and
lun_req->result to NULL, backend->ioctl() (which is
ctl_be_block_ioctl()) won't modify reslt_nvl, but ctl_ioctl() will
call nvlist_destroy(lun_req->result_nvl), causing a crash.

Comment 2 Warner Losh freebsd_committer

2022-09-07 00:07:39 UTC

I'll take a look shortly... but if somebody else has a patch sooner than I look at it so much the better.

Comment 3 Alexander Motin freebsd_committer

2022-09-07 01:36:00 UTC

This device is available only to root user, so it is a form of foot shooting.  But OK, I'll patch it.

Comment 4 commit-hook freebsd_committer

2022-09-07 02:08:31 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0586be48a97c5af50ba4f578d33211f81cc57016

commit 0586be48a97c5af50ba4f578d33211f81cc57016
Author:     Alexander Motin <mav@FreeBSD.org>
AuthorDate: 2022-09-07 01:58:27 +0000
Commit:     Alexander Motin <mav@FreeBSD.org>
CommitDate: 2022-09-07 01:58:27 +0000

    CTL: Validate IOCTL parameters.

    It was possible to cause kernel panic by passing too large args_len
    or non-NULL result_nvl.

    Though since the /dev/cam/ctl device is accessible only by root and
    used only by limited number of tools it was not a big problem.

    PR:     266115
    PR:     266136
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFC after:      1 week

 sys/cam/ctl/ctl.c       | 14 ++++++++++++++
 sys/cam/ctl/ctl_ioctl.h |  1 +
 2 files changed, 15 insertions(+)

Comment 5 commit-hook freebsd_committer

2022-09-14 17:28:21 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c48d0754a05334cacbe6cd34871c10f3ef6f4d56

commit c48d0754a05334cacbe6cd34871c10f3ef6f4d56
Author:     Alexander Motin <mav@FreeBSD.org>
AuthorDate: 2022-09-07 01:58:27 +0000
Commit:     Alexander Motin <mav@FreeBSD.org>
CommitDate: 2022-09-14 17:27:04 +0000

    CTL: Validate IOCTL parameters.

    It was possible to cause kernel panic by passing too large args_len
    or non-NULL result_nvl.

    Though since the /dev/cam/ctl device is accessible only by root and
    used only by limited number of tools it was not a big problem.

    PR:     266115
    PR:     266136
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFC after:      1 week

    (cherry picked from commit 0586be48a97c5af50ba4f578d33211f81cc57016)

 sys/cam/ctl/ctl.c       | 14 ++++++++++++++
 sys/cam/ctl/ctl_ioctl.h |  1 +
 2 files changed, 15 insertions(+)

Comment 6 commit-hook freebsd_committer

2022-09-14 17:29:23 UTC

A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=ce1895b7248d5601b34d0d6492539a7081a8d451

commit ce1895b7248d5601b34d0d6492539a7081a8d451
Author:     Alexander Motin <mav@FreeBSD.org>
AuthorDate: 2022-09-07 01:58:27 +0000
Commit:     Alexander Motin <mav@FreeBSD.org>
CommitDate: 2022-09-14 17:28:18 +0000

    CTL: Validate IOCTL parameters.

    It was possible to cause kernel panic by passing too large args_len
    or non-NULL result_nvl.

    Though since the /dev/cam/ctl device is accessible only by root and
    used only by limited number of tools it was not a big problem.

    PR:     266115
    PR:     266136
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFC after:      1 week

    (cherry picked from commit 0586be48a97c5af50ba4f578d33211f81cc57016)

 sys/cam/ctl/ctl.c       | 14 ++++++++++++++
 sys/cam/ctl/ctl_ioctl.h |  1 +
 2 files changed, 15 insertions(+)