Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 Aug 2012 17:36:12 +0000 (UTC)
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r239866 - stable/9/sys/dev/mfi
Message-ID:  <201208291736.q7THaCEm086409@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jhb
Date: Wed Aug 29 17:36:12 2012
New Revision: 239866
URL: http://svn.freebsd.org/changeset/base/239866

Log:
  MFC 238077:
  Fix panics triggered by older mfiutil binaries run on the new mfi(4) driver.
  The new driver changed the size of the mfi_dcmd_frame structure in such a
  way that a MFI_IOC_PASSTHRU ioctl from an old amd64 binary is treated as an
  MFI_IOC_PASSTHRU32 ioctl in the new driver.  As a result, the user pointer
  is treated as the buffer length.  mfi_user_command() doesn't have a bounds
  check on the buffer length, so it passes a really big value to malloc()
  which panics when it tries to exhaust the kmem_map.  Fix this two ways:
  - Only honor MFI_IOC_PASSTHRU32 if the binary has the SV_ILP32 flag set,
    otherwise treat it as an unknown ioctl.
  - Add a bounds check on the buffer length passed by the user.  For now
    it fails any user attempts to use a buffer larger than 1MB.
  
  While here, fix a few other nits:
  - Remove an unnecessary check for a NULL return from malloc(M_WAITOK).
  - Use the ENOTTY errno for invalid ioctl commands instead of ENOENT.

Modified:
  stable/9/sys/dev/mfi/mfi.c
Directory Properties:
  stable/9/sys/   (props changed)
  stable/9/sys/amd64/include/xen/   (props changed)
  stable/9/sys/boot/   (props changed)
  stable/9/sys/boot/i386/efi/   (props changed)
  stable/9/sys/boot/ia64/efi/   (props changed)
  stable/9/sys/boot/ia64/ski/   (props changed)
  stable/9/sys/boot/powerpc/boot1.chrp/   (props changed)
  stable/9/sys/boot/powerpc/ofw/   (props changed)
  stable/9/sys/cddl/contrib/opensolaris/   (props changed)
  stable/9/sys/conf/   (props changed)
  stable/9/sys/contrib/dev/acpica/   (props changed)
  stable/9/sys/contrib/octeon-sdk/   (props changed)
  stable/9/sys/contrib/pf/   (props changed)
  stable/9/sys/contrib/x86emu/   (props changed)
  stable/9/sys/dev/   (props changed)
  stable/9/sys/dev/e1000/   (props changed)
  stable/9/sys/dev/isp/   (props changed)
  stable/9/sys/dev/ixgbe/   (props changed)
  stable/9/sys/fs/   (props changed)
  stable/9/sys/fs/ntfs/   (props changed)
  stable/9/sys/modules/   (props changed)

Modified: stable/9/sys/dev/mfi/mfi.c
==============================================================================
--- stable/9/sys/dev/mfi/mfi.c	Wed Aug 29 16:58:51 2012	(r239865)
+++ stable/9/sys/dev/mfi/mfi.c	Wed Aug 29 17:36:12 2012	(r239866)
@@ -73,6 +73,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/uio.h>
 #include <sys/proc.h>
 #include <sys/signalvar.h>
+#include <sys/sysent.h>
 #include <sys/taskqueue.h>
 
 #include <machine/bus.h>
@@ -2832,10 +2833,9 @@ mfi_user_command(struct mfi_softc *sc, s
 
 
 	if (ioc->buf_size > 0) {
-		ioc_buf = malloc(ioc->buf_size, M_MFIBUF, M_WAITOK);
-		if (ioc_buf == NULL) {
+		if (ioc->buf_size > 1024 * 1024)
 			return (ENOMEM);
-		}
+		ioc_buf = malloc(ioc->buf_size, M_MFIBUF, M_WAITOK);
 		error = copyin(ioc->buf, ioc_buf, ioc->buf_size);
 		if (error) {
 			device_printf(sc->mfi_dev, "failed to copyin\n");
@@ -3244,6 +3244,10 @@ out:
 		}
 #ifdef COMPAT_FREEBSD32
 	case MFIIO_PASSTHRU32:
+		if (!SV_CURPROC_FLAG(SV_ILP32)) {
+			error = ENOTTY;
+			break;
+		}
 		iop_swab.ioc_frame	= iop32->ioc_frame;
 		iop_swab.buf_size	= iop32->buf_size;
 		iop_swab.buf		= PTRIN(iop32->buf);
@@ -3259,7 +3263,7 @@ out:
 		break;
 	default:
 		device_printf(sc->mfi_dev, "IOCTL 0x%lx not handled\n", cmd);
-		error = ENOENT;
+		error = ENOTTY;
 		break;
 	}
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201208291736.q7THaCEm086409>