NetBSD Problem Report #53724

From gson@gson.org  Sun Nov 11 12:37:00 2018
Return-Path: <gson@gson.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 7690D7A111
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 11 Nov 2018 12:37:00 +0000 (UTC)
Message-Id: <20181111123654.9371A9893F6@guava.gson.org>
Date: Sun, 11 Nov 2018 14:36:54 +0200 (EET)
From: gson@gson.org (Andreas Gustafsson)
Reply-To: gson@gson.org (Andreas Gustafsson)
To: gnats-bugs@NetBSD.org
Subject: cd(4) driver may expose kernel memory content
X-Send-Pr-Version: 3.95

>Number:         53724
>Category:       kern
>Synopsis:       cd(4) driver may expose kernel memory content
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    jdolecek
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 11 12:40:00 +0000 2018
>Closed-Date:    Tue Nov 13 13:17:06 +0000 2018
>Last-Modified:  Mon Jan 07 21:21:16 +0000 2019
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current, source date >= 2017.10.07.20.02.07
>Organization:
>Environment:
System: NetBSD
Architecture: i386
Machine: i386
>Description:

When running NetBSD under qemu without explicitly specifying a CD-ROM
device on the qemu command line, qemu will emulate a single default
virtual ATAPI CD-ROM drive with no media loaded.

Despite the lack of media, reading from this virtual CD-ROM in the
NetBSD guest succeeds and returns data.  The data returned are
different each time and look like it might consist of random bits of
buffer cache content or other kernel memory from the NetBSD guest
system.

Since this bug appears to be exposing kernel memory, I'm treating it
as a potential security issue and filing the PR as confidential.
I have not checked whether the problem also occurs with physical CD-ROM
drives, or with block devices other than CD-ROMs, but even if it is
limited to the qemu ATAPI CD-ROM emulation, it may be widespread given
the use of the qemu device emulations in Xen and Linux KVM.  On the
other hand, the security impact is limited by the fact that the
/dev/cd* devices are only readable by root by default.

A bisection showed that the bug appeared during the period of build
breakage that began with the merge of the sata-ncq branch on source
date 2017.10.07.15.13.00 and ended 2017.10.07.20.02.07.  Before this,
attempting to read from the empty CD-ROM would result in "Operation
not supported by device".

>How-To-Repeat:

Boot NetBSD-current/i386 under qemu without specifying a CD-ROM
device, log in as root, and run

  strings /dev/cd0a

>Fix:

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->jdolecek
Responsible-Changed-By: jdolecek@NetBSD.org
Responsible-Changed-When: Sun, 11 Nov 2018 13:41:54 +0000
Responsible-Changed-Why:
Seems it appeared with merge of jdolecek-ncqfixes


From: Andreas Gustafsson <gson@gson.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/53724 (cd(4) driver may expose kernel memory content)
Date: Sun, 11 Nov 2018 15:49:21 +0200

 jdolecek@NetBSD.org wrote:
 > Seems it appeared with merge of jdolecek-ncqfixes

 According to the bisection, it appeared with the merge of sata-ncq in
 October 2017.
 -- 
 Andreas Gustafsson, gson@gson.org

State-Changed-From-To: open->feedback
State-Changed-By: jdolecek@NetBSD.org
State-Changed-When: Mon, 12 Nov 2018 20:54:56 +0000
State-Changed-Why:
Fix committed and get proper EOPNOTSUPP again from cd0, can you confirm
it works for you too?


From: "Jaromir Dolecek" <jdolecek@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53724 CVS commit: src/sys/dev
Date: Mon, 12 Nov 2018 20:54:03 +0000

 Module Name:	src
 Committed By:	jdolecek
 Date:		Mon Nov 12 20:54:03 UTC 2018

 Modified Files:
 	src/sys/dev/ic: mvsata.c
 	src/sys/dev/scsipi: atapi_wdc.c

 Log Message:
 pass correct status + error to *_atapi_phase_complete(), so that
 the function is actually able to recognize when there was an error;
 tested via reading a cd0 device in QEMU with ejected cdrom

 bug was introduced with jdolecek-ncq branch

 fixes PR kern/53724 by Andreas Gustafsson


 To generate a diff of this commit:
 cvs rdiff -u -r1.45 -r1.46 src/sys/dev/ic/mvsata.c
 cvs rdiff -u -r1.132 -r1.133 src/sys/dev/scsipi/atapi_wdc.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: feedback->closed
State-Changed-By: gson@NetBSD.org
State-Changed-When: Tue, 13 Nov 2018 13:17:06 +0000
State-Changed-Why:
Confirmed fixed - thanks jdolecek!


>Unformatted:

 Changed to non-confidential since it only affected -current, and is already
 fixed.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.