From owner-freebsd-bugs@FreeBSD.ORG  Fri Jan 17 16:10:04 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1E592BA5
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri, 17 Jan 2014 16:10:04 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id ED4321181
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri, 17 Jan 2014 16:10:03 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0HGA3Ev010681
 for <freebsd-bugs@freefall.freebsd.org>; Fri, 17 Jan 2014 16:10:03 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0HGA3qw010680;
 Fri, 17 Jan 2014 16:10:03 GMT (envelope-from gnats)
Resent-Date: Fri, 17 Jan 2014 16:10:03 GMT
Resent-Message-Id: <201401171610.s0HGA3qw010680@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 "Wolfgang B." <blub@speed.at>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4876FA97
 for <freebsd-gnats-submit@FreeBSD.org>; Fri, 17 Jan 2014 16:06:11 +0000 (UTC)
Received: from oldred.freebsd.org (oldred.freebsd.org
 [IPv6:2001:1900:2254:206a::50:4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1A93B113E
 for <freebsd-gnats-submit@FreeBSD.org>; Fri, 17 Jan 2014 16:06:11 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
 by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id s0HG6Ate081456
 for <freebsd-gnats-submit@FreeBSD.org>; Fri, 17 Jan 2014 16:06:10 GMT
 (envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
 by oldred.freebsd.org (8.14.5/8.14.5/Submit) id s0HG69R7081455;
 Fri, 17 Jan 2014 16:06:09 GMT (envelope-from nobody)
Message-Id: <201401171606.s0HG69R7081455@oldred.freebsd.org>
Date: Fri, 17 Jan 2014 16:06:09 GMT
From: "Wolfgang B." <blub@speed.at>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: kern/185852: bad geom ctl request causes kernel panic
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 16:10:04 -0000


>Number:         185852
>Category:       kern
>Synopsis:       bad geom ctl request causes kernel panic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 17 16:10:03 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Wolfgang B.
>Release:        9.2 release memstick and 10-CURRENT from stable/10 git
>Organization:
>Environment:
FreeBSD new-host-2 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

and:
FreeBSD new-host-2 10.0-PRERELEASE FreeBSD 10.0-PRERELEASE #2 c80798a(stable/10)-dirty: Fri Jan 17 16:41:13 CET 2014     wry@wrybsd:/home/wry/FreeBSD/obj/amd64.amd64/home/wry/FreeBSD/freebsd/sys/GENERIC  x86_64
>Description:
Many of gctl_copyin's error cases don't actually set the request's nerror member.
If for instance the "class" value gets corrupted (or deliberately set to a bad value) (specifically to be non-null-terminated but GCTL_PARAM_ASCII added to its flags), the gctl_copyin will not get to setting kvalue, which is then NULL and later-on accessed in gctl_get_class, where it checks for a terminating null character.

Seems like the a lot of the geom subsystem could use some more error checking.
Ie GEOM_PARAM_KERNELVALUE never gets set on the request argument, so why aren't all accesses to its kvalue member masked by this flag if it exists?

(A kernel should not have to rely on the userspace being friendly to it. This is a lucky case in that you by default need to be in the operator group to issue such a request.)
>How-To-Repeat:
Send a libgeom request filled with garbage.
Example code:
http://users.archbsd.net/~blub/pastes/blub/geom_crash.c

compile with -lgeom and run with a 'doit' parameter to trigger the panic

>Fix:
make gctl_error or its callers (gctl_copyin) set req->nerror in all error cases.

The diff [1] is dirty and not the recommended way to go about this, but it did protect against the geom_crash.c file linked in the "How to repeat the problem" section. (got the correct "unterminated param value" error with it)
Which shows me that my assumption of how/where this is going bad is probably correct.

[1] <http://users.archbsd.net/~blub/pastes/blub/geom_ctl.diff>

>Release-Note:
>Audit-Trail:
>Unformatted: