src/sys/dev/hptrr, branch stable/10 FreeBSD source tree MFC r327497, r327498: fix memory disclosure in hpt* ioctls 2018-01-23T02:29:39+00:00 Ed Maste emaste@FreeBSD.org 2018-01-23T02:29:39+00:00 bb7a958c318f4335e527e3ee9821d714b830de8f r327497: hpt27xx: plug info leak in hpt_ioctl The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls hpt_do_ioctl(), which might not overwrite the entire buffer. Also zero bytesReturned in case it is not written by hpt_do_ioctl(). The hpt27xx device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN. Reported by: Ilja van Sprundel <ivansprundel@ioactive.com> Submitted by: Domagoj Stolfa <domagoj.stolfa@gmail.com> (M_ZERO) r327498: hpt{nr,rr}: plug info leak in hpt_ioctl The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls hpt_do_ioctl(), which might not overwrite the entire buffer. Also zero bytesReturned in case it is not written by hpt_do_ioctl(). The hpt27{nr,rr} device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN. The same issue was reported in the hpt27xx driver by Ilja Van Sprundel. Security: memory disclosure in root-only ioctls Sponsored by: The FreeBSD Foundation 
r327497: hpt27xx: plug info leak in hpt_ioctl

The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls
hpt_do_ioctl(), which might not overwrite the entire buffer.

Also zero bytesReturned in case it is not written by hpt_do_ioctl().

The hpt27xx device has permissions only for root so this is not urgent,
and the fix can be MFCd and considered for a future EN.

Reported by:  Ilja van Sprundel <ivansprundel@ioactive.com>
Submitted by: Domagoj Stolfa <domagoj.stolfa@gmail.com> (M_ZERO)

r327498: hpt{nr,rr}: plug info leak in hpt_ioctl

The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls
hpt_do_ioctl(), which might not overwrite the entire buffer.

Also zero bytesReturned in case it is not written by hpt_do_ioctl().

The hpt27{nr,rr} device has permissions only for root so this is not urgent,
and the fix can be MFCd and considered for a future EN.

The same issue was reported in the hpt27xx driver by Ilja Van Sprundel.

Security:	memory disclosure in root-only ioctls
Sponsored by:	The FreeBSD Foundation
MFC r311305 (by asomers): 2017-03-23T06:41:13+00:00 Alexander Motin mav@FreeBSD.org 2017-03-23T06:41:13+00:00 63a2397e28702b82eca0410a0a7db8f60fc51215 Always null-terminate ccb_pathinq.(sim_vid|hba_vid|dev_name) The sim_vid, hba_vid, and dev_name fields of struct ccb_pathinq are fixed-length strings. AFAICT the only place they're read is in sbin/camcontrol/camcontrol.c, which assumes they'll be null-terminated. However, the kernel doesn't null-terminate them. A bunch of copy-pasted code uses strncpy to write them, and doesn't guarantee null-termination. For at least 4 drivers (mpr, mps, ciss, and hyperv), the hba_vid field actually overflows. You can see the result by doing "camcontrol negotiate da0 -v". This change null-terminates those fields everywhere they're set in the kernel. It also shortens a few strings to ensure they'll fit within the 16-character field. PR: 215474 Reported by: Coverity CID: 1009997 1010000 1010001 1010002 1010003 1010004 1010005 CID: 1331519 1010006 1215097 1010007 1288967 1010008 1306000 CID: 1211924 1010009 1010010 1010011 1010012 1010013 1010014 CID: 1147190 1010017 1010016 1010018 1216435 1010020 1010021 CID: 1010022 1009666 1018185 1010023 1010025 1010026 1010027 CID: 1010028 1010029 1010030 1010031 1010033 1018186 1018187 CID: 1010035 1010036 1010042 1010041 1010040 1010039 
Always null-terminate ccb_pathinq.(sim_vid|hba_vid|dev_name)

The sim_vid, hba_vid, and dev_name fields of struct ccb_pathinq are
fixed-length strings. AFAICT the only place they're read is in
sbin/camcontrol/camcontrol.c, which assumes they'll be null-terminated.
However, the kernel doesn't null-terminate them. A bunch of copy-pasted code
uses strncpy to write them, and doesn't guarantee null-termination. For at
least 4 drivers (mpr, mps, ciss, and hyperv), the hba_vid field actually
overflows. You can see the result by doing "camcontrol negotiate da0 -v".

This change null-terminates those fields everywhere they're set in the
kernel. It also shortens a few strings to ensure they'll fit within the
16-character field.

PR:             215474
Reported by:    Coverity
CID:            1009997 1010000 1010001 1010002 1010003 1010004 1010005
CID:            1331519 1010006 1215097 1010007 1288967 1010008 1306000
CID:            1211924 1010009 1010010 1010011 1010012 1010013 1010014
CID:            1147190 1010017 1010016 1010018 1216435 1010020 1010021
CID:            1010022 1009666 1018185 1010023 1010025 1010026 1010027
CID:            1010028 1010029 1010030 1010031 1010033 1018186 1018187
CID:            1010035 1010036 1010042 1010041 1010040 1010039
MFC r313554: 2017-02-24T21:22:13+00:00 Pedro F. Giffuni pfg@FreeBSD.org 2017-02-24T21:22:13+00:00 f4cb2f030ef47933285ffa9b13b4adee4fa8dce1 Clean redundant MIN/MAX declarations in some HighPoint drivers. The hpt27xx(4), hptnr(4), and hptrr(4) drivers declare MIN() and MAX() internally which match the macros from sys/param.h. MIN() is not used, MAX is only used once and can be replaced with the max() version in libkern.h which operates on u_ints. MFC after: 2 weeks 
Clean redundant MIN/MAX declarations in some HighPoint drivers.

The hpt27xx(4), hptnr(4), and hptrr(4) drivers declare MIN() and MAX()
internally which match the macros from sys/param.h.

MIN() is not used, MAX is only used once and can be replaced with the
max() version in libkern.h which operates on u_ints.

MFC after:	2 weeks
MFC: r296135 2017-01-18T23:23:46+00:00 Marius Strobl marius@FreeBSD.org 2017-01-18T23:23:46+00:00 80f05d110d8fee2ea4244c90508024c942192df0 Replace several bus_alloc_resource() calls with bus_alloc_resource_any() Most of these are BARs, and we allocate them in their entirety. The one outlier in this is amdsbwd(4), which calls bus_set_resource() prior. 
Replace several bus_alloc_resource() calls with bus_alloc_resource_any()

Most of these are BARs, and we allocate them in their entirety. The one
outlier in this is amdsbwd(4), which calls bus_set_resource() prior.
MFC r274819: 2014-12-21T03:06:11+00:00 Steven Hartland smh@FreeBSD.org 2014-12-21T03:06:11+00:00 117c93e53f1784aedab7d9942d1fb8e00c8b1618 Prevent overflow issues in timeout processing MFC r274852: Fix build with asr driver Sponsored by: Multiplay 
Prevent overflow issues in timeout processing

MFC r274852:
Fix build with asr driver

Sponsored by:	Multiplay
MFC r269615: 2014-12-21T03:00:44+00:00 Steven Hartland smh@FreeBSD.org 2014-12-21T03:00:44+00:00 83e10823f9ff36889405b517bb52796360b23aa0 Various fixes to hptrr(4) Sponsored by: Multiplay 
Various fixes to hptrr(4)

Sponsored by:	Multiplay
MFC r267368: 2014-06-14T00:44:57+00:00 Xin LI delphij@FreeBSD.org 2014-06-14T00:44:57+00:00 ac02ccc3f1bebc2c61488b50b66fec3dcf0b87a3 Apply vendor fixes to the High Point drivers: - Don't call xpt_free_path() in os_query_remove_device() and always return TRUE. - Update os_buildsgl() to support build logical SG table which will be used by lower RAID module. - Return CAM_SEL_TIMEOUTstatus for SCSIcommand failed as target missing. Many thanks to HighPoint for providing this driver update. Submitted by: Steve Chang Reviewed by: mav 
Apply vendor fixes to the High Point drivers:

 - Don't call xpt_free_path() in os_query_remove_device() and
   always return TRUE.
 - Update os_buildsgl() to support build logical SG table which
   will be used by lower RAID module.
 - Return CAM_SEL_TIMEOUTstatus for SCSIcommand failed as target
   missing.

Many thanks to HighPoint for providing this driver update.

Submitted by:	Steve Chang
Reviewed by:	mav
Re-do r255853. Along with adding back the API/ABI changes from the 2013-09-25T17:16:21+00:00 Scott Long scottl@FreeBSD.org 2013-09-25T17:16:21+00:00 eb8a7632ba2a674b697cfedeba54ccb941a446b9 original, this hides the contents of cam_compat.h from ktrace/kdump/truss, avoiding problems there. There are no user-servicable parts in there, so no need for those tools to be groping around in there. Approved by: re 
original, this hides the contents of cam_compat.h from ktrace/kdump/truss,
avoiding problems there.  There are no user-servicable parts in there, so
no need for those tools to be groping around in there.

Approved by:    re
Revert r255853 pending fixes to build errors in usr.bin/kdump 2013-09-25T01:48:45+00:00 Glen Barber gjb@FreeBSD.org 2013-09-25T01:48:45+00:00 0082e54e9d0d882a4eab9c6c0de71ac8c891dcef Approved by: re (implicit) 
Approved by:	re (implicit)
Update the CAM API for FreeBSD 10: 2013-09-24T16:50:53+00:00 Scott Long scottl@FreeBSD.org 2013-09-24T16:50:53+00:00 185884259b58c3ef8203268c1c201095c7170d63 - Remove the timeout_ch field. It's been deprecated since FreeBSD 7.0; MPSAFE drivers should be managing their own timeout storage. The remaining non-MPSAFE drivers have been modified to also manage their own storage, and should be considered for updating to MPSAFE (or removal) during the FreeBSD 10.x lifecycle. - Add fields related to soft timeouts and quality of service, to be used in upcoming work. - Add room for more flags in the CCB header and path_inq structures. - Begin support for extended 64-bit LUNs. - Bump the CAM version number to 0x18, but add compat shims. Tested with camcontrol and smartctl. Reviewed by: nathanw, ken, kib Approved by: re Obtained from: Netflix 
- Remove the timeout_ch field.  It's been deprecated since FreeBSD 7.0;
  MPSAFE drivers should be managing their own timeout storage.  The
  remaining non-MPSAFE drivers have been modified to also manage their own
  storage, and should be considered for updating to MPSAFE (or removal)
  during the FreeBSD 10.x lifecycle.

- Add fields related to soft timeouts and quality of service, to be used
  in upcoming work.

- Add room for more flags in the CCB header and path_inq structures.

- Begin support for extended 64-bit LUNs.

- Bump the CAM version number to 0x18, but add compat shims.  Tested with
  camcontrol and smartctl.

Reviewed by:    nathanw, ken, kib
Approved by:    re
Obtained from:  Netflix