From nobody Tue Mar 29 00:54:06 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 45E871A5747A; Tue, 29 Mar 2022 00:54:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KSB0H1Sknz4sdK; Tue, 29 Mar 2022 00:54:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648515247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=suwHqmcad7XgwEgCexvicVSzGXljvqglnqK3/5soQxE=; b=Ux0Szq45Yn/ycUfUVZFg37WU1CzJgtOshio2bc1pk90olgjwfJQ+hxsTLd+UcmwXrsnAFo PALmDlJ1rodLO9fk+WgHrjLPVMWIWGZfzjKlMsjy1v0Ha2/r27yhaA4vJL7WJre+W0SMJn ufL1sT156iqY3RAAF2iVSl1e/oCtGbwgpSmsfEc0gRDi11KJGy2Iyl4z+FAkLq+LTXojq3 tN4jzKzT07WEfy7ooP7/UvinLXonCoPyvH/o9gPzwU5qwuV+SQeuPntYYapU99kCuWFUb3 5/ilNyaghF7tS3SU4JvK51EZ8PV/3m/kVFCaw5l1Z+lrcaM9bPQXsOIb+dpHyg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 11FBE14566; Tue, 29 Mar 2022 00:54:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22T0s6HN055436; Tue, 29 Mar 2022 00:54:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22T0s6Kg055435; Tue, 29 Mar 2022 00:54:06 GMT (envelope-from git) Date: Tue, 29 Mar 2022 00:54:06 GMT Message-Id: <202203290054.22T0s6Kg055435@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 8276c4149b5f - main - mpr/mps/mpt: verify cfg page ioctl lengths List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8276c4149b5fc7c755d6b244fbbf6dae1939f087 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648515247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=suwHqmcad7XgwEgCexvicVSzGXljvqglnqK3/5soQxE=; b=OieyIiYN2nk6ro/8TcfGjK6VoHMDkZEvgMRt4vEoGlPM5f9h1HQSwAUj55PDsK5OtYKIRo rd2TltWa58SiBQMntvvHhbuN/JtLlCp/KwLup7C2ga/CrMP6hKbJa+ud9GTp2sDO5DCfaf wj49WgA7cgZT5NjlWabSZArXN2ON4jlH9JfbpdRbfQ5bAqU3jABQfq1iaHw5veI+LGetWN +Ql1yxzH3T20S2yeDWjY1WmKjfOClEzXLiDaztWz05x3IW8I0n4pVe0XgZYv59RG1ZNkxc gQ58NWZmF9dFsNnrYbGyZu6tQLYt26Ubm30VBr6rHbtY3rJMCGExfT2yaIQdsg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648515247; a=rsa-sha256; cv=none; b=pQWVzSTPFNOXU6o9bKHSCbO6mGGf9IfaudI35p2qRVvAnAPmgYBtUJXMPH/xFRwPKyD+J8 HWDgsPskpNAdTSVNgXEKrEQJZ5gT8DhEr5eZRL4Q6FV740pNwalvPoVC0EV0aRzaraJsgZ zuRnIiGC05AYwPvRn7BE2CIB0xHMSZ47IU7dHosDT1H0SofLXhfQry64klI9JwbkKpRe7S NsRGdIDAGY9iHvQmV6wAAwLQI1oPBdpKsQJA6FoADvs1ZkLx1vVPBieCeAnSbruIp5dW9J t4Ap6tS/g0GxwjmI4wOzeyd7y8VNMT+b6sdZMPdWWO8FjMr7UL/03EyGPHXiPw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=8276c4149b5fc7c755d6b244fbbf6dae1939f087 commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087 Author: Ed Maste AuthorDate: 2022-03-28 13:33:54 +0000 Commit: Ed Maste CommitDate: 2022-03-29 00:35:47 +0000 mpr/mps/mpt: verify cfg page ioctl lengths *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 --- sys/dev/mpr/mpr_user.c | 13 +++++++++++++ sys/dev/mps/mps_user.c | 13 +++++++++++++ sys/dev/mpt/mpt_user.c | 13 +++++++++++++ 3 files changed, 39 insertions(+) diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index cab865e2e535..08c2b8b39244 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -2266,6 +2266,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mpr_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2284,6 +2288,11 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(ext_page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(ext_page_req->buf, mpr_page, @@ -2298,6 +2307,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mpr_page, ext_page_req->buf, ext_page_req->len); break; case MPRIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mpr_page, page_req->len); if (error) diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index 4b09b486b0dd..cdab4d4cd841 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -2156,6 +2156,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mps_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2174,6 +2178,11 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(ext_page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(ext_page_req->buf, mps_page, sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)); @@ -2187,6 +2196,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mps_page, ext_page_req->buf, ext_page_req->len); break; case MPSIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mps_page, page_req->len); if (error) diff --git a/sys/dev/mpt/mpt_user.c b/sys/dev/mpt/mpt_user.c index cf339387c10e..10d5bac15d49 100644 --- a/sys/dev/mpt/mpt_user.c +++ b/sys/dev/mpt/mpt_user.c @@ -672,6 +672,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_CFG_PAGE32: #endif case MPTIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break; @@ -698,6 +702,11 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_EXT_CFG_PAGE32: #endif case MPTIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, ext_page_req->len); if (error) break; @@ -717,6 +726,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_WRITE_CFG_PAGE32: #endif case MPTIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break;