git: 72aad3f9028a - main - Fix kernel memory disclosures in mpr and mps
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 02 Mar 2023 20:32:00 UTC
The branch main has been updated by asomers: URL: https://cgit.FreeBSD.org/src/commit/?id=72aad3f9028af12e6c56a3a461b46a153abd7b24 commit 72aad3f9028af12e6c56a3a461b46a153abd7b24 Author: Alan Somers <asomers@FreeBSD.org> AuthorDate: 2023-03-01 18:53:46 +0000 Commit: Alan Somers <asomers@FreeBSD.org> CommitDate: 2023-03-02 20:31:06 +0000 Fix kernel memory disclosures in mpr and mps In every mpr and mps ioctl that copies kernel data to userland, validate that the requested length does not exceed the size of the kernel's buffer. Note that all of these ioctls already required root access. MFC after: 2 weeks Sponsored by: Axcient Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D38842 --- sys/dev/mpr/mpr_user.c | 7 ++++--- sys/dev/mps/mps_user.c | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index d04aaa24ea0b..5b5c11dd4a65 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -863,7 +863,7 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) } mpr_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mpr_lock(sc); } mprsas_free_tm(sc, cm); @@ -1087,7 +1087,8 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) data->ReplySize, sz); } mpr_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mpr_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -2065,7 +2066,7 @@ mpr_user_event_report(struct mpr_softc *sc, mpr_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mpr_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mpr_lock(sc); } else { diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index cdab4d4cd841..9d6aeedafdea 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -862,7 +862,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) } mps_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mps_lock(sc); } mpssas_free_tm(sc, cm); @@ -1015,7 +1015,8 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) data->ReplySize, sz); } mps_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mps_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -1955,7 +1956,7 @@ mps_user_event_report(struct mps_softc *sc, mps_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mps_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mps_lock(sc); } else {