Page MenuHomeFreeBSD
Differential D32803

scsi_cd: Improve TOC access validation
ClosedPublic
Actions

Authored by markj on Nov 2 2021, 1:43 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Sep 15, 2:41 AM
Unknown Object (File)
Thu, Sep 12, 6:01 AM
Unknown Object (File)
Thu, Sep 5, 12:13 AM
Unknown Object (File)
Mon, Aug 26, 6:21 AM
Unknown Object (File)
Aug 18 2024, 12:32 AM
Unknown Object (File)
Aug 10 2024, 1:59 PM
Unknown Object (File)
Aug 10 2024, 1:58 PM
Unknown Object (File)
Aug 10 2024, 1:58 PM
View All 43 Files
Subscribers
imp

Details

Reviewers
ken
avg
Group Reviewers
cam
Commits
rG6afabf00920f: scsi_cd: Improve TOC access validation
Summary
  1. During CD probing, we read the TOC header to find the number of entries, then read the TOC itself. The header determines the number of entries, which determines the amount of data to read from the device into the softc in the CD_STATE_MEDIA_TOC_FULL state. We hard-code a limit of 99 tracks (plus one for the lead-out) in the softc, but were not validating that the size reported by the media would fit in this hard-coded limit. Kernel memory corruption would occur if not.[1] Add validation to check this.
  1. The CDIOCPLAYTRACKS ioctl uses caller provided track numbers to index into the TOC, but we only validate the starting index. Add validation of the ending index.

Also, raise the hard-coded limit from 100 tracks to 170, per a
suggestion from Ken.

Reported by: C Turt <ecturt@gmail.com> [1]

Test Plan

I verified that I'm able to read the TOC from an audio CD as before. I tried
lowering the hard-coded limit to a small number and verified that we now
clear the CD_FLAG_VALID_TOC flag when probing a CD during boot, whereas
before we'd panic.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 42523
Build 39411: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
cam/
scsi/
37 lines

Diff 97865

View Options

sys/cam/scsi/scsi_cd.c

Loading...