git: 72aad3f9028a - main - Fix kernel memory disclosures in mpr and mps

The branch main has been updated by asomers:

URL: https://cgit.FreeBSD.org/src/commit/?id=72aad3f9028af12e6c56a3a461b46a153abd7b24

commit 72aad3f9028af12e6c56a3a461b46a153abd7b24
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-03-01 18:53:46 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-03-02 20:31:06 +0000

    Fix kernel memory disclosures in mpr and mps
    
    In every mpr and mps ioctl that copies kernel data to userland, validate
    that the requested length does not exceed the size of the kernel's
    buffer.
    
    Note that all of these ioctls already required root access.
    
    MFC after:      2 weeks
    Sponsored by:   Axcient
    Reviewed by:    imp
    Differential Revision: https://reviews.freebsd.org/D38842
---
 sys/dev/mpr/mpr_user.c | 7 ++++---
 sys/dev/mps/mps_user.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c
index d04aaa24ea0b..5b5c11dd4a65 100644
--- a/sys/dev/mpr/mpr_user.c
+++ b/sys/dev/mpr/mpr_user.c
@@ -863,7 +863,7 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data)
 			}
 			mpr_unlock(sc);
 			copyout(cm->cm_reply, PTRIN(data->PtrReply),
-			    data->ReplySize);
+			    MIN(sz, data->ReplySize));
 			mpr_lock(sc);
 		}
 		mprsas_free_tm(sc, cm);
@@ -1087,7 +1087,8 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data)
 			    data->ReplySize, sz);
 		}
 		mpr_unlock(sc);
-		copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize);
+		copyout(cm->cm_reply, PTRIN(data->PtrReply),
+		    MIN(sz, data->ReplySize));
 		mpr_lock(sc);
 
 		if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) ||
@@ -2065,7 +2066,7 @@ mpr_user_event_report(struct mpr_softc *sc, mpr_event_report_t *data)
 	if ((size >= sizeof(sc->recorded_events)) && (status == 0)) {
 		mpr_unlock(sc);
 		if (copyout((void *)sc->recorded_events,
-		    PTRIN(data->PtrEvents), size) != 0)
+		    PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0)
 			status = EFAULT;
 		mpr_lock(sc);
 	} else {
diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c
index cdab4d4cd841..9d6aeedafdea 100644
--- a/sys/dev/mps/mps_user.c
+++ b/sys/dev/mps/mps_user.c
@@ -862,7 +862,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data)
 			}
 			mps_unlock(sc);
 			copyout(cm->cm_reply, PTRIN(data->PtrReply),
-			    data->ReplySize);
+			    MIN(sz, data->ReplySize));
 			mps_lock(sc);
 		}
 		mpssas_free_tm(sc, cm);
@@ -1015,7 +1015,8 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data)
 			    data->ReplySize, sz);
 		}
 		mps_unlock(sc);
-		copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize);
+		copyout(cm->cm_reply, PTRIN(data->PtrReply),
+		    MIN(sz, data->ReplySize));
 		mps_lock(sc);
 
 		if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) ||
@@ -1955,7 +1956,7 @@ mps_user_event_report(struct mps_softc *sc, mps_event_report_t *data)
 	if ((size >= sizeof(sc->recorded_events)) && (status == 0)) {
 		mps_unlock(sc);
 		if (copyout((void *)sc->recorded_events,
-		    PTRIN(data->PtrEvents), size) != 0)
+		    PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0)
 			status = EFAULT;
 		mps_lock(sc);
 	} else {