diff options
author | Mark Johnston <markj@FreeBSD.org> | 2019-07-03 00:10:01 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2019-07-03 00:10:01 +0000 |
commit | fc795c25d40545d022b5e3d2918ae480aeb765a1 (patch) | |
tree | 8abecd9b335a433366f8cea6d7dc7cccad0d51b2 /sys/cam | |
parent | ce5ec2c559a67090e17f19b9a8c8686e413c2ad8 (diff) | |
download | src-fc795c25d40545d022b5e3d2918ae480aeb765a1.tar.gz src-fc795c25d40545d022b5e3d2918ae480aeb765a1.zip |
Remove the CDIOCREADSUBCHANNEL_SYSSPACE ioctl.
This was added for emulation of Linux's CDROMSUBCHNL, but allows
users with read access to a cd(4) device to overwrite kernel memory
provided that the driver detects some media present.
Reimplement CDROMSUBCHNL by bouncing the data from CDIOCREADSUBCHANNEL
through the linux_cdrom_subchnl structure passed from userspace.
admbugs: 768
Reported by: Alex Fortune
Security: CVE-2019-5602
Security: FreeBSD-SA-19:11.cd_ioctl
Notes
Notes:
svn path=/head/; revision=349627
Diffstat (limited to 'sys/cam')
-rw-r--r-- | sys/cam/scsi/scsi_cd.c | 14 |
1 files changed, 2 insertions, 12 deletions
diff --git a/sys/cam/scsi/scsi_cd.c b/sys/cam/scsi/scsi_cd.c index 599ebc272629..af0aef7b6cc1 100644 --- a/sys/cam/scsi/scsi_cd.c +++ b/sys/cam/scsi/scsi_cd.c @@ -1314,7 +1314,7 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) struct cam_periph *periph; struct cd_softc *softc; - int nocopyout, error = 0; + int error = 0; periph = (struct cam_periph *)dp->d_drv1; cam_periph_lock(periph); @@ -1356,7 +1356,6 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) */ cam_periph_unlock(periph); - nocopyout = 0; switch (cmd) { case CDIOCPLAYTRACKS: @@ -1532,9 +1531,6 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) cam_periph_unlock(periph); } break; - case CDIOCREADSUBCHANNEL_SYSSPACE: - nocopyout = 1; - /* Fallthrough */ case CDIOCREADSUBCHANNEL: { struct ioc_read_subchannel *args @@ -1579,13 +1575,7 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) data->header.data_len[1] + sizeof(struct cd_sub_channel_header))); cam_periph_unlock(periph); - if (nocopyout == 0) { - if (copyout(data, args->data, len) != 0) { - error = EFAULT; - } - } else { - bcopy(data, args->data, len); - } + error = copyout(data, args->data, len); free(data, M_SCSICD); } break; |