Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) in 32-bit compat mode.

These take a union ccb argument which is full of kernel pointers. Substantial translation efforts would be required to make this work. By rejecting the request we avoid processing or returning entierly wrong data. Reviewed by: imp, ken, markj, cem Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14654
svn path=/head/; revision=330819
2018-03-12 22:58:07 +00:00 · 2018-03-12 22:58:07 +00:00 · 871dc9833b · 2020-12-20 02:59:44 +00:00
commit 871dc9833b
parent 97519ff698
1 changed files with 15 additions and 0 deletions
--- a/sys/cam/scsi/scsi_pass.c
+++ b/sys/cam/scsi/scsi_pass.c
@ -30,6 +30,8 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");

+#include "opt_compat.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
@ -45,6 +47,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/poll.h>
 #include <sys/selinfo.h>
 #include <sys/sdt.h>
+#include <sys/sysent.h>
 #include <sys/taskqueue.h>
 #include <vm/uma.h>
 #include <vm/vm.h>
@ -1859,6 +1862,12 @@ passdoioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, struct thread
 		union ccb **user_ccb, *ccb;
 		xpt_opcode fc;

+#ifdef COMPAT_FREEBSD32
+		if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
+			error = ENOTTY;
+			goto bailout;
+		}
+#endif
 		if ((softc->flags & PASS_FLAG_ZONE_VALID) == 0) {
 			error = passcreatezone(periph);
 			if (error != 0)
@ -2033,6 +2042,12 @@ passdoioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, struct thread
 		struct pass_io_req *io_req;
 		int old_error;

+#ifdef COMPAT_FREEBSD32
+		if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
+			error = ENOTTY;
+			goto bailout;
+		}
+#endif
 		user_ccb = (union ccb **)addr;
 		old_error = 0;