ctl_report_supported_opcodes: Handle invalid requested service action

Service actions are only valid up to 31 as they are encoded in the low
5 bits of byte 1 in CDBs. Fail requests with a requested

ctl_report_supported_opcodes: Handle invalid requested service action

Service actions are only valid up to 31 as they are encoded in the low
5 bits of byte 1 in CDBs. Fail requests with a requested service
action of 32 or higher with an INVALID FIELD IN COMMAND specifying
byte 4 as the illegal byte.

Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D46611

show more ...

ctl: limit memory allocation in pci_virtio_scsi

The virtio_scsi device allows a VM guest to directly send SCSI commands
(ctsio->cdb array) to the kernel driver exposed on /dev/cam/ctl
(ctl.ko).

All

ctl: limit memory allocation in pci_virtio_scsi

The virtio_scsi device allows a VM guest to directly send SCSI commands
(ctsio->cdb array) to the kernel driver exposed on /dev/cam/ctl
(ctl.ko).

All kernel commands accessible from the guest are defined by
ctl_cmd_table.

The command ctl_persistent_reserve_out (cdb[0]=0x5F and cbd[1]=0) allows
the caller to call malloc() with an arbitrary size (uint32_t). This can
be used by the guest to overload the kernel memory (DOS attack).

Reported by: Synacktiv
Reviewed by: asomers
Security: HYP-08
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46044

show more ...

ctl_report_supported_opcodes: Rename invalid label to invalid_options

This error handling is specific to an invalid value in the REPORTING
OPTIONS field of a REPORT SUPPORTED OPERATION CODES command

ctl_report_supported_opcodes: Rename invalid label to invalid_options

This error handling is specific to an invalid value in the REPORTING
OPTIONS field of a REPORT SUPPORTED OPERATION CODES command.

While here, reuse the label for another case.

Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D46775

show more ...

ctl: fix uninitialized data used by PREVENT ALLOW MEDIUM REMOVAL

Zero-initialize the bitmap of preventers. Otherwise, the START STOP
UNIT command may not have the intended effect.

MFC after: 2 wee

ctl: fix uninitialized data used by PREVENT ALLOW MEDIUM REMOVAL

Zero-initialize the bitmap of preventers. Otherwise, the START STOP
UNIT command may not have the intended effect.

MFC after: 2 weeks
Sponsored by: Axcient
Reviewed by: emaste, markj
Pull Request: https://github.com/freebsd/freebsd-src/pull/1409

show more ...

ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes

This vulnerability is directly accessible to a guest VM through the
pci_virtio_scsi bhyve device.

In the function ctl_report_supported_

ctl: fix Out-Of-Bounds access in ctl_report_supported_opcodes

This vulnerability is directly accessible to a guest VM through the
pci_virtio_scsi bhyve device.

In the function ctl_report_supported_opcodes() accessible from the VM,
the option RSO_OPTIONS_OC_ASA does not check the requested
service_action value before accessing &ctl_cmd_table[].

Reported by: Synacktiv
Reviewed by: asomers
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-42416
Security: HYP-06
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46027

show more ...

ctl: fix memory disclosure in read/write buffer commands

The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
a kernel memory disclosure caused by an uninitialized kernel allocat

ctl: fix memory disclosure in read/write buffer commands

The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
a kernel memory disclosure caused by an uninitialized kernel allocation.
If one of these functions is called for the first time for a given LUN, a
kernel allocation is performed without the M_ZERO flag. Then a call to
ctl_read_buffer() returns the content of this allocation, which may
contain kernel data.

Reported by: Synacktiv
Reviewed by: asomers
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-8178
Security: HYP-05
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45952

show more ...

ctl: fix Use-After-Free in ctl_write_buffer

The virtio_scsi device allows a guest VM to directly send SCSI commands
to the kernel driver exposed on /dev/cam/ctl. This setup makes the
vulnerability d

ctl: fix Use-After-Free in ctl_write_buffer

The virtio_scsi device allows a guest VM to directly send SCSI commands
to the kernel driver exposed on /dev/cam/ctl. This setup makes the
vulnerability directly accessible from VMs through the pci_virtio_scsi
bhyve device.

The function ctl_write_buffer sets the CTL_FLAG_ALLOCATED flag, causing
the kern_data_ptr to be freed when the command finishes processing.
However, the buffer is still stored in lun->write_buffer, leading to a
Use-After-Free vulnerability.

Since the buffer needs to persist indefinitely, so it can be accessed by
READ BUFFER, do not set CTL_FLAG_ALLOCATED.

Reported by: Synacktiv
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-45063
Security: HYP-03
Sponsored by: Axcient
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46424

show more ...

ctl: Stop checking for failures from malloc(M_WAITOK)

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45852

ctl: avoid heap info leak in ctl_request_sense

Previously 3 bytes of data from the heap could be leaked to ctl
consumers.

Reported by: Synacktiv
Reviewed by: asomers, mav
Sponsored by: The Alpha-Om

ctl: avoid heap info leak in ctl_request_sense

Previously 3 bytes of data from the heap could be leaked to ctl
consumers.

Reported by: Synacktiv
Reviewed by: asomers, mav
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46091

show more ...

ctl: Add NVMF port type and ioctls

- Add CTL_PORT_NVMF as a new port type.

- Define a new CTL_NVMF ioctl for NVMF-specific operations similar to
CTL_ISCSI. This ioctl supports a command to hando

ctl: Add NVMF port type and ioctls

- Add CTL_PORT_NVMF as a new port type.

- Define a new CTL_NVMF ioctl for NVMF-specific operations similar to
CTL_ISCSI. This ioctl supports a command to handoff a single
queue pair, a command to enumerate active associations, and a
command to disconnect one or more active associations.

Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44724

show more ...

ctl: Add helper routines to populate NVMe namespace data IDs for a LUN

These will be used by the backends to populate the unique ID fields
like EUI64 in the NVMe namespace data (CNS == 0) and namesp

ctl: Add helper routines to populate NVMe namespace data IDs for a LUN

These will be used by the backends to populate the unique ID fields
like EUI64 in the NVMe namespace data (CNS == 0) and namespace
identification descriptor list (CNS == 3).

Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44721

show more ...

ctl: Support for NVMe commands

- Add support for queueing and executing NVMe admin and NVM commands
via ctl_run and ctl_queue. This requires fixing a few places that
were SCSI-specific to add N

ctl: Support for NVMe commands

- Add support for queueing and executing NVMe admin and NVM commands
via ctl_run and ctl_queue. This requires fixing a few places that
were SCSI-specific to add NVME logic.

- NVMe has much simpler command ordering requirements than SCSI. In
particular, the HBA is not required to enforce any specific ordering
for requests with overlapping LBAs. The host is required to manage
that ordering. However, fused commands (currently only COMPARE and
WRITE NVM commands can be fused) are required to be executed
atomically.

To support fused commands, make the second half of a fused command
block on the first half, and have commands submitted after a fused
command pair block on the second half.

- Add handlers and command tables for admin and NVM commands that
operate on individual namespaces and will be passed down from an
NVMe over Fabrics controller to a CTL LUN.

Reviewed by: ken, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44720

show more ...

ctl: Add assertions in SCSI-only paths

Assert that only SCSI I/O requests are passed in various places
that assume a SCSI I/O request (that is, places that access fields
in io->scsiio directly).

Sp

ctl: Add assertions in SCSI-only paths

Assert that only SCSI I/O requests are passed in various places
that assume a SCSI I/O request (that is, places that access fields
in io->scsiio directly).

Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44847

show more ...

ctl: Update some core data paths to be protocol agnostic

- Add wrapper routines for invoking the be_move_done and io_continue
callbacks in SCSI and NVMe I/O requests.

- Use wrapper routines for a

ctl: Update some core data paths to be protocol agnostic

- Add wrapper routines for invoking the be_move_done and io_continue
callbacks in SCSI and NVMe I/O requests.

- Use wrapper routines for access to shared fields between SCSI and
NVMe I/O requests.

- ctl_config_write_done is not fully updated since it resubmits SCSI
commands via ctl_scsiio. This will be completed in a subsequent
commit when ctl_nvmeio is added.

Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44846

show more ...

ctl: Add CTL_IO_ASSERT wrapper macro

Currently, this pattern is commonly used to assert that a union ctl_io
is a SCSI request. In the future it will be used to assert other
types.

Suggested by: im

ctl: Add CTL_IO_ASSERT wrapper macro

Currently, this pattern is commonly used to assert that a union ctl_io
is a SCSI request. In the future it will be used to assert other
types.

Suggested by: imp
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44844

show more ...

ctl: Avoid an upcast for calling ctl_scsi_path_string

Change the first argument of ctl_scsi_path_string to be the embedded
header structure instead of the union. Currently union ctl_io and
struct c

ctl: Avoid an upcast for calling ctl_scsi_path_string

Change the first argument of ctl_scsi_path_string to be the embedded
header structure instead of the union. Currently union ctl_io and
struct ctl_scsiio have the same alignment, but this changes on i386 if
a new union member is added that contains a uint64_t member (such as
an embedded struct nvme_command for NVMeoF). In that case, union
ctl_io requires stronger alignment, so the upcast from struct
ctl_scsiio to union ctl_io in ctl_scsi_sense_sbuf raises an increasing
alignment warning on i386.

Avoid the warning by passing struct ctl_io_hdr as the first argument
to ctl_scsi_path_string instead.

Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44716

show more ...

CTL: Drop Format Device and Rigid Disk Geometry mode pages

Those mode pages are obsolete since SBC-2 specification almost 20
years ago. First I was trying to understand possible relations
between p

CTL: Drop Format Device and Rigid Disk Geometry mode pages

Those mode pages are obsolete since SBC-2 specification almost 20
years ago. First I was trying to understand possible relations
between physical block and physical sector terms in different specs.
Then was thinking about possible relations to device CHS geometry
and compatibility issues. Finally I just decided that none of it
worth the efforts and should rest in piece.

PR: 276524

show more ...

CAM: Replace random sbuf_printf() with cheaper cat/putc.

cam: Remove left-over sys/cdefs.h in sys/cam

These weren't removed when $FreeBSD$ was removed. They aren't needed and
now are a style(9) nonconformity.

Sponsored by: Netflix

ctl: Use ctl_io_sbuf in ctl_process_done

This reduces a second copy of (mostly) the same code.

Reviewed by: ken, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.free

ctl: Use ctl_io_sbuf in ctl_process_done

This reduces a second copy of (mostly) the same code.

Reviewed by: ken, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D42210

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

cam/ctl: Migrate to modern uintXX_t from u_intXX_t

As per https://lists.freebsd.org/archives/freebsd-scsi/2023-July/000257.html
move to the modern uintXX_t.

MFC After: 3 days
Sponsored by: Netflix

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

CTL: Increase maximum SCSI tag size from 32 to 64 bits.

SAM-5 specification states maximum size of command identifier (tag),
defined by specific transports, should not be larger than 64 bits.
While

CTL: Increase maximum SCSI tag size from 32 to 64 bits.

SAM-5 specification states maximum size of command identifier (tag),
defined by specific transports, should not be larger than 64 bits.
While most of supported transports use 32 bits or less, it was
reported that virtio-scsi uses 64 bits. Truncation to 32 bits in
bhyve code caused false tag conflict errors reported and possibly
other issues.

This changes CTL ABI and HA protocol, so CTL_HA_VERSION is bumped.

While we make HA protocol incompatible, increase default maximum
number of ports in CTL from 256 to 1024, matching number of LUNs.
There are many reports from people who need many iSCSI targets with
only one LUN each. Increased memory consumption should be less of
a problem these days.

PR: 267539

show more ...

CTL: Validate IOCTL parameters.

It was possible to cause kernel panic by passing too large args_len
or non-NULL result_nvl.

Though since the /dev/cam/ctl device is accessible only by root and
used

CTL: Validate IOCTL parameters.

It was possible to cause kernel panic by passing too large args_len
or non-NULL result_nvl.

Though since the /dev/cam/ctl device is accessible only by root and
used only by limited number of tools it was not a big problem.

PR: 266115
PR: 266136
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 1 week

show more ...