NetBSD Problem Report #53724
From gson@gson.org Sun Nov 11 12:37:00 2018
Return-Path: <gson@gson.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7690D7A111
for <gnats-bugs@gnats.NetBSD.org>; Sun, 11 Nov 2018 12:37:00 +0000 (UTC)
Message-Id: <20181111123654.9371A9893F6@guava.gson.org>
Date: Sun, 11 Nov 2018 14:36:54 +0200 (EET)
From: gson@gson.org (Andreas Gustafsson)
Reply-To: gson@gson.org (Andreas Gustafsson)
To: gnats-bugs@NetBSD.org
Subject: cd(4) driver may expose kernel memory content
X-Send-Pr-Version: 3.95
>Number: 53724
>Category: kern
>Synopsis: cd(4) driver may expose kernel memory content
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: jdolecek
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Nov 11 12:40:00 +0000 2018
>Closed-Date: Tue Nov 13 13:17:06 +0000 2018
>Last-Modified: Mon Jan 07 21:21:16 +0000 2019
>Originator: Andreas Gustafsson
>Release: NetBSD-current, source date >= 2017.10.07.20.02.07
>Organization:
>Environment:
System: NetBSD
Architecture: i386
Machine: i386
>Description:
When running NetBSD under qemu without explicitly specifying a CD-ROM
device on the qemu command line, qemu will emulate a single default
virtual ATAPI CD-ROM drive with no media loaded.
Despite the lack of media, reading from this virtual CD-ROM in the
NetBSD guest succeeds and returns data. The data returned are
different each time and look like it might consist of random bits of
buffer cache content or other kernel memory from the NetBSD guest
system.
Since this bug appears to be exposing kernel memory, I'm treating it
as a potential security issue and filing the PR as confidential.
I have not checked whether the problem also occurs with physical CD-ROM
drives, or with block devices other than CD-ROMs, but even if it is
limited to the qemu ATAPI CD-ROM emulation, it may be widespread given
the use of the qemu device emulations in Xen and Linux KVM. On the
other hand, the security impact is limited by the fact that the
/dev/cd* devices are only readable by root by default.
A bisection showed that the bug appeared during the period of build
breakage that began with the merge of the sata-ncq branch on source
date 2017.10.07.15.13.00 and ended 2017.10.07.20.02.07. Before this,
attempting to read from the empty CD-ROM would result in "Operation
not supported by device".
>How-To-Repeat:
Boot NetBSD-current/i386 under qemu without specifying a CD-ROM
device, log in as root, and run
strings /dev/cd0a
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->jdolecek
Responsible-Changed-By: jdolecek@NetBSD.org
Responsible-Changed-When: Sun, 11 Nov 2018 13:41:54 +0000
Responsible-Changed-Why:
Seems it appeared with merge of jdolecek-ncqfixes
From: Andreas Gustafsson <gson@gson.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/53724 (cd(4) driver may expose kernel memory content)
Date: Sun, 11 Nov 2018 15:49:21 +0200
jdolecek@NetBSD.org wrote:
> Seems it appeared with merge of jdolecek-ncqfixes
According to the bisection, it appeared with the merge of sata-ncq in
October 2017.
--
Andreas Gustafsson, gson@gson.org
State-Changed-From-To: open->feedback
State-Changed-By: jdolecek@NetBSD.org
State-Changed-When: Mon, 12 Nov 2018 20:54:56 +0000
State-Changed-Why:
Fix committed and get proper EOPNOTSUPP again from cd0, can you confirm
it works for you too?
From: "Jaromir Dolecek" <jdolecek@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53724 CVS commit: src/sys/dev
Date: Mon, 12 Nov 2018 20:54:03 +0000
Module Name: src
Committed By: jdolecek
Date: Mon Nov 12 20:54:03 UTC 2018
Modified Files:
src/sys/dev/ic: mvsata.c
src/sys/dev/scsipi: atapi_wdc.c
Log Message:
pass correct status + error to *_atapi_phase_complete(), so that
the function is actually able to recognize when there was an error;
tested via reading a cd0 device in QEMU with ejected cdrom
bug was introduced with jdolecek-ncq branch
fixes PR kern/53724 by Andreas Gustafsson
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/sys/dev/ic/mvsata.c
cvs rdiff -u -r1.132 -r1.133 src/sys/dev/scsipi/atapi_wdc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: feedback->closed
State-Changed-By: gson@NetBSD.org
State-Changed-When: Tue, 13 Nov 2018 13:17:06 +0000
State-Changed-Why:
Confirmed fixed - thanks jdolecek!
>Unformatted:
Changed to non-confidential since it only affected -current, and is already
fixed.
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.