d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
305ef653bc
freebsd-nq/sys/cam/scsi
History
Mark Johnston 6afabf0092 scsi_cd: Improve TOC access validation 
1. During CD probing, we read the TOC header to find the number of
   entries, then read the TOC itself.  The header determines the number
   of entries, which determines the amount of data to read from the
   device into the softc in the CD_STATE_MEDIA_TOC_FULL state.  We
   hard-code a limit of 99 tracks (plus one for the lead-out) in the
   softc, but were not validating that the size reported by the media
   would fit in this hard-coded limit.  Kernel memory corruption could
   occur if not.[1]  Add validation to check this, and refuse to cache
   the TOC if it would not fit.

2. The CDIOCPLAYTRACKS ioctl uses caller provided track numbers to index
   into the TOC, but we only validate the starting index.  Add
   validation of the ending index.

Also, raise the hard-coded limit from 100 tracks to 170, per a
suggestion from Ken.

Reported by:	C Turt <ecturt@gmail.com> [1]
Reviewed by:	ken, avg
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32803
2021-11-03 15:09:17 -04:00
..
scsi_all.c libcam: Define depop structures and introduce scsi_wrap 2021-09-20 16:27:59 -06:00
scsi_all.h libcam: Define depop structures and introduce scsi_wrap 2021-09-20 16:27:59 -06:00
scsi_cd.c scsi_cd: Improve TOC access validation 2021-11-03 15:09:17 -04:00
scsi_cd.h cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
scsi_ch.c cam: drop unused 'saved_ccb' field from softcs 2021-07-06 10:04:38 +01:00
scsi_ch.h
scsi_da.c Fix a common typo in source code comments 2021-08-14 14:08:46 +02:00
scsi_da.h cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
scsi_enc_internal.h cam: drop unused 'saved_ccb' field from softcs 2021-07-06 10:04:38 +01:00
scsi_enc_safte.c cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
scsi_enc_ses.c cam(4): Limit search for disks in SES enclosure by single bus 2021-10-05 15:01:16 -04:00
scsi_enc.c cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
scsi_enc.h ses: Guard the elm_type_names declaration by _KERNEL 2021-09-02 14:47:18 -06:00
scsi_iu.h
scsi_message.h cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
scsi_pass.c cam: drop unused 'saved_ccb' field from softcs 2021-07-06 10:04:38 +01:00
scsi_pass.h
scsi_pt.c cam: drop unused 'saved_ccb' field from softcs 2021-07-06 10:04:38 +01:00
scsi_pt.h
scsi_sa.c cam: drop unused 'saved_ccb' field from softcs 2021-07-06 10:04:38 +01:00
scsi_sa.h cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
scsi_ses.h cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
scsi_sg.c cam: drop unused 'saved_ccb' field from softcs 2021-07-06 10:04:38 +01:00
scsi_sg.h
scsi_targ_bh.c cam: clear stack-allocated CCB in the target layer 2021-07-21 10:18:28 +01:00
scsi_target.c targ(4): Remove D_NEEDGIANT. 2021-08-21 11:20:54 -04:00
scsi_targetio.h
scsi_xpt.c cam: revert second half of 75b5caa08e 2021-09-01 09:35:27 +00:00
smp_all.c cam: clean up empty lines in .c and .h files 2020-09-01 22:13:48 +00:00
smp_all.h