pass(4): Allowlist CCB func_codes to harden passthrough ioctls

The pass(4) driver's CAMIOCOMMAND and CAMIOQUEUE ioctls accept arbitrary
CCBs from userland. This device requires root to open, and th

pass(4): Allowlist CCB func_codes to harden passthrough ioctls

The pass(4) driver's CAMIOCOMMAND and CAMIOQUEUE ioctls accept arbitrary
CCBs from userland. This device requires root to open, and thus send
these commands. Previously, the only func_code filter was a blocklist
check against the XPT_FC_XPT_ONLY flag. This missed several dangerous
func_codes that lack that flag:

- XPT_ABORT: the abort_ccb field is a raw kernel pointer from the
user CCB payload. xpt_action_default() dereferences it without
validation, leading to kernel crashes or worse.

- XPT_SASYNC_CB: the callback and callback_arg fields come directly
from the user CCB payload and get registered as a kernel async
callback, allowing arbitrary kernel code execution.

- Target mode CCBs (XPT_EN_LUN, XPT_TARGET_IO, etc.) fall through
directly to the SIM with user-controlled payloads.

Replace the XPT_FC_XPT_ONLY blocklist with an explicit allowlist of CCB
function codes that are known to be safe for userland to submit: I/O
operations (SCSI, ATA, NVMe, SMP, MMC), device queries, transport
settings, and a handful of safe control operations (NOOP, REL_SIMQ,
RESET_DEV, DEBUG). Normally, the /dev/pass* permissions only allow root
to access them, so this is only a safety issue by default.

Also reject CAM_DATA_PADDR and CAM_DATA_SG_PADDR, since these pass
user-supplied physical addresses directly to DMA with no validation,
which on systems without an IOMMU allows arbitrary host memory access.
Add `options PASS_UNSAFE_PADDR` to allow the old behavior.

Verified that camdd, camcontrol, smartmontools, and cdrtools use only
func_codes on the allowlist (XPT_SCSI_IO, XPT_ATA_IO, XPT_NVME_IO,
XPT_NVME_ADMIN, XPT_PATH_INQ, XPT_GDEV_TYPE, XPT_GET_TRAN_SETTINGS,
XPT_SET_TRAN_SETTINGS, XPT_RESET_DEV, XPT_DEBUG) and none use
CAM_DATA_PADDR.

PR: 293888, 293890
Assisted-By: Claude Opus 4.6 (1M context)
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D56486

show more ...

Remove residual blank line at start of Makefile

This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix

cam: Minor tidying up the cam module Makefile

One src per line + sorting.

Sponsored by: Netflix

sys: Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

We don't need $M/$M in the path anymore.

Now that machdep files are gone, we don't need $S/$M/$M in the path to find
them.

Sparc64 and pc98 needed cam_machdep and/or ata_machdep for various
reasons. Those have now left the tree, and with them the need to have machdep
files. Places that called the routines in quesiton hav

Sparc64 and pc98 needed cam_machdep and/or ata_machdep for various
reasons. Those have now left the tree, and with them the need to have machdep
files. Places that called the routines in quesiton have been removed
previously. Remove these files from the Makefile to tidy up.

show more ...

Add nvme_util.c to cam.ko.

cam.ko can't load onto the kernel w/o nvme in the kernel. Add
nvme_util.c to cam.ko.

Noticed by: kib@

Move most of the contents of opt_compat.h to opt_global.h.

opt_compat.h is mentioned in nearly 180 files. In-progress network
driver compabibility improvements may add over 100 more so this is
close

Move most of the contents of opt_compat.h to opt_global.h.

opt_compat.h is mentioned in nearly 180 files. In-progress network
driver compabibility improvements may add over 100 more so this is
closer to "just about everywhere" than "only some files" per the
guidance in sys/conf/options.

Keep COMPAT_LINUX32 in opt_compat.h as it is confined to a subset of
sys/compat/linux/*.c. A fake _COMPAT_LINUX option ensure opt_compat.h
is created on all architectures.

Move COMPAT_LINUXKPI to opt_dontuse.h as it is only used to control the
set of compiled files.

Reviewed by: kib, cem, jhb, jtl
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D14941

show more ...

Add nvme_da back.

Now that it can co-exist in the kernel with nvd, add it back to the
cam module.

Sponsored by: Netflix

This should have been += so clean builds work.

Noticed by: hps@

We need opt_compat.h after r330819 and 330820.

Add opt_compat.h to fix the stand-alone build case.

Sponsored by: Netflix.

Add new opt_da.h for stand-alone build.

Sponsored by: Netflix

sys/modules: normalize .CURDIR-relative paths to SRCTOP

This simplifies make output/logic

Tested with: `cd sys/modules; make ALL_MODULES=` on amd64
MFC after: 1 month
Sponsored by: Dell EMC Isilon

Merge ^/head r314270 through r314419.

Move inclusion of opt_printf.h around so that we can compile all the
SCSI modules outside of a sub-build from the kernel.

Differential Revision: https://reviews.freebsd.org/D9653
Sponsored by: Netfl

Move inclusion of opt_printf.h around so that we can compile all the
SCSI modules outside of a sub-build from the kernel.

Differential Revision: https://reviews.freebsd.org/D9653
Sponsored by: Netflix

show more ...

Make cam.ko loadable.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week

Add opt_ddb.h.

MFC after: 1 week

opt_kdtrace.h is not needed for SDT probes as of r258541.

MFH

Sponsored by: The FreeBSD Foundation

Sync cam.ko module source list with the static kernel file list.

Sponsored by: The FreeBSD Foundation

MFH r289384-r293170

Sponsored by: The FreeBSD Foundation

MFH @r292599

This includes the pluggable TCP framework and other chnages to the
netstack to track for VNET stability.

Security: The FreeBSD Foundation

Fix make depend

Merge from head@274682

IFC @r269962

Submitted by: Anish Gupta (akgupt3@gmail.com)