From nobody Wed Apr 06 03:04:16 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 73BC41A845C7; Wed, 6 Apr 2022 03:04:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY8Vm4jwSz4dgk; Wed, 6 Apr 2022 03:04:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214256; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Uc9aukZxyuhzCWLywEPANJBy+7xiJaxTGH65ZU5PRRE=; b=XvAT2pBi9od8zZE/6Hef7pkMtvkTDXOeudiuNNKQE1p/yfm1EV4DFu5lARIt5SNbUOwsp/ F7XnFO/5NUOvdrPuHE3fUqS5hQVZBmDqfGzkgZPmv1qPmtoQmbA+c68nPvDlChPFrZb6Zj cCmjUCVUsyWNasM/KEDL0gzT1kPBNLscBo3ulXRRXTRCGy3tsPMqFfiEPn+v5ebK9bHjnV MOuz0dPpRtgEVZqgmSVfy3wLm3ndz6o8jEM+dLAoqMzdpaN8sycTEDWqUxMYR6DTU5poL5 kzDstzz9Pb85TI17hgwKvIWAzHRXv9CNnHeacmHKUTrmRvH3otsruJSRzZEqyw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 457271344F; Wed, 6 Apr 2022 03:04:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23634GdH034784; Wed, 6 Apr 2022 03:04:16 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23634Gnl034783; Wed, 6 Apr 2022 03:04:16 GMT (envelope-from git) Date: Wed, 6 Apr 2022 03:04:16 GMT Message-Id: <202204060304.23634Gnl034783@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: e724f3ce7970 - releng/13.0 - mpr/mps/mpt: verify cfg page ioctl lengths List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.0 X-Git-Reftype: branch X-Git-Commit: e724f3ce79707d1085fae666a678eab07c05af5a Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214256; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Uc9aukZxyuhzCWLywEPANJBy+7xiJaxTGH65ZU5PRRE=; b=XA7/0/aLxPkBEYHltXrFpV0wM8kmDmwamLaZFq5u6oF8bFZ0ADancEPO2ds73Oq8IFUXb3 +sB8KsTeLYFpnjrNTg7uVuZdH/iqhWMllI8TpQIXCVO5OjGfTfiq/gqwPvZF7p8AA8x5GK o/8Jq2B87awEZC8O3CHrZH9VH7yFuJyH73AFLqWEqOAJjubLUUDaLYemPi9DuheCbX4RPv kRlG77uN3bcFYZR2fVNJqdTLNQ9rTQ8gE3W8zm2sOHEO1MGq32d+FFKRcmGC30W+QPaFiR MeshBavvank9vfTCi+PZfKSMhkOkzzerGoMxT4Oy1RlGj0UdHYVLIYLgMfy1OA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649214256; a=rsa-sha256; cv=none; b=F1SF3eRQVLcoCC6J9CJ0lQFHeahmGZR10YkWD5er4k5meohfu0Y47S520cUoHYUh5BdmF6 TsJ5tfLQg4Vzn5UNRiFH5tP8Pwwkta3YvqKKMF5PGNkzfSmnwxjGxw6Fdhq/KFYv3D1e7o EWoRd4JamWCMstwMDCi5UiTK93qXwEHE05rYkxpC7zHz/A3L30CcbYGM8YzHQiDL3roU/F viVLSx2aNBQTSUbYYcOO4Ljn2rC+iRE/xXxhUXl84sSVxwTMPewNLcuTcKuj4clHY2LUOg H0KHgL6YtQYW7ibpns+DBf+mi5Pl7TwkRIqnTb5/Dwg16unWXOp9wY1793XK4Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/13.0 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=e724f3ce79707d1085fae666a678eab07c05af5a commit e724f3ce79707d1085fae666a678eab07c05af5a Author: Ed Maste AuthorDate: 2022-04-05 23:26:48 +0000 Commit: Ed Maste CommitDate: 2022-04-05 23:26:48 +0000 mpr/mps/mpt: verify cfg page ioctl lengths *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 (cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087) (cherry picked from commit 0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb) Approved by: so Security: CVE-2022-23086 Security: FreeBSD-SA-22:06.ioctl --- sys/dev/mpr/mpr_user.c | 13 +++++++++++++ sys/dev/mps/mps_user.c | 13 +++++++++++++ sys/dev/mpt/mpt_user.c | 13 +++++++++++++ 3 files changed, 39 insertions(+) diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index cab865e2e535..08c2b8b39244 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -2266,6 +2266,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mpr_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2284,6 +2288,11 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(ext_page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(ext_page_req->buf, mpr_page, @@ -2298,6 +2307,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mpr_page, ext_page_req->buf, ext_page_req->len); break; case MPRIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mpr_page, page_req->len); if (error) diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index 9d4aab54562f..a16201cde131 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -2168,6 +2168,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mps_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2186,6 +2190,11 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(ext_page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(ext_page_req->buf, mps_page, sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)); @@ -2199,6 +2208,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mps_page, ext_page_req->buf, ext_page_req->len); break; case MPSIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mps_page, page_req->len); if (error) diff --git a/sys/dev/mpt/mpt_user.c b/sys/dev/mpt/mpt_user.c index cf339387c10e..10d5bac15d49 100644 --- a/sys/dev/mpt/mpt_user.c +++ b/sys/dev/mpt/mpt_user.c @@ -672,6 +672,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_CFG_PAGE32: #endif case MPTIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break; @@ -698,6 +702,11 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_EXT_CFG_PAGE32: #endif case MPTIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, ext_page_req->len); if (error) break; @@ -717,6 +726,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_WRITE_CFG_PAGE32: #endif case MPTIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break;