diff options
author | gordon <gordon@FreeBSD.org> | 2019-07-03 00:03:55 +0000 |
---|---|---|
committer | gordon <gordon@FreeBSD.org> | 2019-07-03 00:03:55 +0000 |
commit | 6b7493d0fd3414c4561ca74e0cc4562a34e5336c (patch) | |
tree | 2d85a60679acf37a486c961a6b652508fbc3631f /sys/cam | |
parent | eb6bf40db8c2c6a5621845360152dd04b815759c (diff) | |
download | FreeBSD-src-6b7493d0fd3414c4561ca74e0cc4562a34e5336c.zip FreeBSD-src-6b7493d0fd3414c4561ca74e0cc4562a34e5336c.tar.gz |
Fix privilege escalation in cd(4) driver.
Approved by: so
Approved by: re (implicit)
Security: FreeBSD-SA-19:11.cd_ioctl
Security: CVE-2019-5602
Diffstat (limited to 'sys/cam')
-rw-r--r-- | sys/cam/scsi/scsi_cd.c | 14 |
1 files changed, 2 insertions, 12 deletions
diff --git a/sys/cam/scsi/scsi_cd.c b/sys/cam/scsi/scsi_cd.c index e9f22a1..f77924e 100644 --- a/sys/cam/scsi/scsi_cd.c +++ b/sys/cam/scsi/scsi_cd.c @@ -1281,7 +1281,7 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) struct cam_periph *periph; struct cd_softc *softc; - int nocopyout, error = 0; + int error = 0; periph = (struct cam_periph *)dp->d_drv1; cam_periph_lock(periph); @@ -1323,7 +1323,6 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) */ cam_periph_unlock(periph); - nocopyout = 0; switch (cmd) { case CDIOCPLAYTRACKS: @@ -1499,9 +1498,6 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) cam_periph_unlock(periph); } break; - case CDIOCREADSUBCHANNEL_SYSSPACE: - nocopyout = 1; - /* Fallthrough */ case CDIOCREADSUBCHANNEL: { struct ioc_read_subchannel *args @@ -1546,13 +1542,7 @@ cdioctl(struct disk *dp, u_long cmd, void *addr, int flag, struct thread *td) data->header.data_len[1] + sizeof(struct cd_sub_channel_header))); cam_periph_unlock(periph); - if (nocopyout == 0) { - if (copyout(data, args->data, len) != 0) { - error = EFAULT; - } - } else { - bcopy(data, args->data, len); - } + error = copyout(data, args->data, len); free(data, M_SCSICD); } break; |