Hi, I came across a bug that possibly affects all versions of FreeBSD since dawn of the GEOM. There seems to be off-by-one error in the g_io_check() allowing requests that just past the boundary of the device to be accepted. I was particularly looking at generating BIO_DELETE requests in the userland and noticed that GEOM provider would accept request for the first sector outside of the device area. The following example illustrates the issue:
---- test.c ----
#include <sys/ioctl.h>
#include <sys/disk.h>
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
int fd;
off_t mediasize, ioarg[2];
u_int secsize;
assert(argc == 2);
fd = open(argv[1], O_RDWR, 0);
assert(fd >= 0);
assert(ioctl(fd, DIOCGMEDIASIZE, &mediasize) == 0);
assert(ioctl(fd, DIOCGSECTORSIZE, &secsize) == 0);
ioarg[0] = mediasize - secsize;
ioarg[1] = secsize;
/* Zero out last sector */
assert(ioctl(fd, DIOCGDELETE, ioarg) == 0);
ioarg[0] += secsize;
/* Zero out last sector + 1 */
assert(ioctl(fd, DIOCGDELETE, ioarg) == -1);
assert(errno == EIO);
exit(0);
}
------------
# cc -o test test.c
# mdconfig -a -t malloc -s 1m
md0
# ./test /dev/md0
Assertion failed: (ioctl(fd, DIOCGDELETE, ioarg) == -1), function main,
file a.c, line 25.
Abort trap
#
Patch to correct this is attached. I have not looked at the code md(4) to
see if it actually results in buffer outside of the allocated area being
zeroed out, but it's totally possible that some providers might do some
weird stuff given a BIO_DELETE request like this. So we are possibly
looking at a mild security issue here (hence CC secteam).
-Max
geom_io.c.diff
Description: Binary data
_______________________________________________ freebsd-geom@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscr...@freebsd.org"
