From nobody Wed Mar 22 19:28:11 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PhdmW5g65z41CQL; Wed, 22 Mar 2023 19:28:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PhdmW4yhrz4BpP; Wed, 22 Mar 2023 19:28:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1679513291; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nK7eg6IE8uyqsuQ7JVwaQ1+MM9dF4bkHjiAwBMhSbOQ=; b=il2UIcWmxyp3ZgDtDrWfW6C/Oe+MIebNo6mlbxuQ9xS2tglEbmNeI89x25ado6+EjnPcEF V2v0IS+rcj5jv/QypjU8Qr66LRL678RWjDrDWTjUSdQlhK70ddbe+n8arn4Jjh6nupLKAD +IWrnsoxxhOTucUD8ICq5N23beXRW1X/sKcO9rQokLmJ6/gejIUHsEPg5VzsQXa1tT0TLM nPViJDnmJCyg2MRBg5p+rBJMR8Dh9YFUbChxY9iUq2T0+/z0XtAEmGVGZvu69QUyEARtpl EIEULXNDgilkfCihg/JuHb8mciVcROQvZThXkF6bz3L9W/UKOfUsOL3DVpeVKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1679513291; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nK7eg6IE8uyqsuQ7JVwaQ1+MM9dF4bkHjiAwBMhSbOQ=; b=Ac6QKhecmhzqWQCzs3UECOOuNX5U/wYONtgHlfSvYAxa7wd3Xfl82BO4YyBjl3P2W5Tzwo fheQm73F02UXBBvLpOfMiXWUUJmXaIdwJM4q72DlLaM8YkEYNfDhgTNsEVZp8Gk5CXf693 l/zIcapiXgumThtknEr3jC5u1JAwVF5PSs64T2TpSJpsJRFyhYW13PoGzUBhbHuK36PB2B aF1m1X+Y3awH6MBG3rIbx8w/XMRDyRQruJkCmOcxUlvsEGsf0zZTXSBmcyd8l9lei1PiEg zaa/JTGLlOynBj50+vUeA89kCY5XabZhMXyYK557qPSUNymD6YUbSCyWRFXdfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1679513291; a=rsa-sha256; cv=none; b=EfM3Qj027sWr/7um6uPnuKbUNvucKg4JAllxPYBz5NMmO/OgM99XckCpdmHw8zaxOWgtSE Ng61RxbX14ZO4wQwi503dl9BjmcuNAQWaK1TUfXAVd0WUYAqkGe0ZLKZnEaj8CKOBNqK0R C+Klidt6jHvbrBoTjAd5GRP+bhaoMe6YjpWOpPsKHIItZCHzWBvVCOeBiMGi2qISPp5wfn 1edu4lQS3xjFc7gqCU5sPEEPKdF8CVqGD8nvxt11/Fi6XzPnVnq939dCxonOpnFbdue+CG D0H8oLtoRyxDUWeIDfquC/MIlhZ/lEYCIL9z/NsqROV5Dy/T3QntpnWvUtGiqw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PhdmW41F2z15bB; Wed, 22 Mar 2023 19:28:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32MJSBLf003721; Wed, 22 Mar 2023 19:28:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32MJSBJ0003720; Wed, 22 Mar 2023 19:28:11 GMT (envelope-from git) Date: Wed, 22 Mar 2023 19:28:11 GMT Message-Id: <202303221928.32MJSBJ0003720@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Alan Somers Subject: git: 1a798187e554 - stable/13 - Fix kernel memory disclosures in mpr and mps List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: asomers X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 1a798187e5546c817a3bab845d73520d4a88a185 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by asomers: URL: https://cgit.FreeBSD.org/src/commit/?id=1a798187e5546c817a3bab845d73520d4a88a185 commit 1a798187e5546c817a3bab845d73520d4a88a185 Author: Alan Somers AuthorDate: 2023-03-01 18:53:46 +0000 Commit: Alan Somers CommitDate: 2023-03-22 16:52:42 +0000 Fix kernel memory disclosures in mpr and mps In every mpr and mps ioctl that copies kernel data to userland, validate that the requested length does not exceed the size of the kernel's buffer. Note that all of these ioctls already required root access. Sponsored by: Axcient Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D38842 (cherry picked from commit 72aad3f9028af12e6c56a3a461b46a153abd7b24) --- sys/dev/mpr/mpr_user.c | 7 ++++--- sys/dev/mps/mps_user.c | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index d04aaa24ea0b..5b5c11dd4a65 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -863,7 +863,7 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) } mpr_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mpr_lock(sc); } mprsas_free_tm(sc, cm); @@ -1087,7 +1087,8 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) data->ReplySize, sz); } mpr_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mpr_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -2065,7 +2066,7 @@ mpr_user_event_report(struct mpr_softc *sc, mpr_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mpr_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mpr_lock(sc); } else { diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index a16201cde131..3b8f79802808 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -874,7 +874,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) } mps_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mps_lock(sc); } mpssas_free_tm(sc, cm); @@ -1027,7 +1027,8 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) data->ReplySize, sz); } mps_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mps_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -1967,7 +1968,7 @@ mps_user_event_report(struct mps_softc *sc, mps_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mps_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mps_lock(sc); } else {