git: 9e752dae4ce1 - stable/13 - oce(4): Don't directly access usespace

From: Brooks Davis <brooks_at_FreeBSD.org>
Date: Thu, 20 Jul 2023 20:44:55 UTC 
The branch stable/13 has been updated by brooks:

URL: https://cgit.FreeBSD.org/src/commit/?id=9e752dae4ce125d873f12fde993e0466ed42b54c

commit 9e752dae4ce125d873f12fde993e0466ed42b54c
Author:     Brooks Davis <brooks@FreeBSD.org>
AuthorDate: 2023-06-14 17:55:41 +0000
Commit:     Brooks Davis <brooks@FreeBSD.org>
CommitDate: 2023-07-20 20:41:14 +0000

    oce(4): Don't directly access usespace
    
    Replace direct stores to userspace addresses (never safe and broken on
    modern CPUs) with a copyout.  Use a static assert on the size to ensure
    we don't overflow the field.
    
    Reviewed by:    markj, jhb
    Sponsored by:   DARPA
    Differential Revision:  https://reviews.freebsd.org/D40519
    
    (cherry picked from commit 758927a982db0ae3ebb02c05aec8a53bcc0c20cb)
---
 sys/dev/oce/oce_if.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/sys/dev/oce/oce_if.c b/sys/dev/oce/oce_if.c
index 1127565282c1..2d089344e844 100644
--- a/sys/dev/oce/oce_if.c
+++ b/sys/dev/oce/oce_if.c
@@ -2250,7 +2250,6 @@ oce_handle_passthrough(struct ifnet *ifp, caddr_t data)
 	uint32_t req_size;
 	struct mbx_hdr req;
 	OCE_DMA_MEM dma_mem;
-	struct mbx_common_get_cntl_attr *fw_cmd;
 
 	if (copyin(priv_data, cookie, strlen(IOCTL_COOKIE)))
 		return EFAULT;
@@ -2282,17 +2281,25 @@ oce_handle_passthrough(struct ifnet *ifp, caddr_t data)
 		goto dma_free;
 	}
 
-	if (copyout(OCE_DMAPTR(&dma_mem,char), ioctl_ptr, req_size))
+	if (copyout(OCE_DMAPTR(&dma_mem,char), ioctl_ptr, req_size)) {
 		rc =  EFAULT;
+		goto dma_free;
+	}
 
 	/* 
 	   firmware is filling all the attributes for this ioctl except
 	   the driver version..so fill it 
 	 */
 	if(req.u0.rsp.opcode == OPCODE_COMMON_GET_CNTL_ATTRIBUTES) {
-		fw_cmd = (struct mbx_common_get_cntl_attr *) ioctl_ptr;
-		strncpy(fw_cmd->params.rsp.cntl_attr_info.hba_attr.drv_ver_str,
-			COMPONENT_REVISION, strlen(COMPONENT_REVISION));	
+		struct mbx_common_get_cntl_attr *fw_cmd =
+		    (struct mbx_common_get_cntl_attr *)ioctl_ptr;
+		_Static_assert(sizeof(COMPONENT_REVISION) <=
+		     sizeof(fw_cmd->params.rsp.cntl_attr_info.hba_attr.drv_ver_str),
+		     "driver version string too long");
+
+		rc = copyout(COMPONENT_REVISION,
+		    fw_cmd->params.rsp.cntl_attr_info.hba_attr.drv_ver_str,
+		    sizeof(COMPONENT_REVISION));
 	}
 
 dma_free: