From owner-svn-src-all@FreeBSD.ORG  Wed Aug 29 17:36:12 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A057D1065670;
	Wed, 29 Aug 2012 17:36:12 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 8AD1B8FC0A;
	Wed, 29 Aug 2012 17:36:12 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q7THaCvN086412;
	Wed, 29 Aug 2012 17:36:12 GMT (envelope-from jhb@svn.freebsd.org)
Received: (from jhb@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q7THaCEm086409;
	Wed, 29 Aug 2012 17:36:12 GMT (envelope-from jhb@svn.freebsd.org)
Message-Id: <201208291736.q7THaCEm086409@svn.freebsd.org>
From: John Baldwin <jhb@FreeBSD.org>
Date: Wed, 29 Aug 2012 17:36:12 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r239866 - stable/9/sys/dev/mfi
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2012 17:36:12 -0000

Author: jhb
Date: Wed Aug 29 17:36:12 2012
New Revision: 239866
URL: http://svn.freebsd.org/changeset/base/239866

Log:
  MFC 238077:
  Fix panics triggered by older mfiutil binaries run on the new mfi(4) driver.
  The new driver changed the size of the mfi_dcmd_frame structure in such a
  way that a MFI_IOC_PASSTHRU ioctl from an old amd64 binary is treated as an
  MFI_IOC_PASSTHRU32 ioctl in the new driver.  As a result, the user pointer
  is treated as the buffer length.  mfi_user_command() doesn't have a bounds
  check on the buffer length, so it passes a really big value to malloc()
  which panics when it tries to exhaust the kmem_map.  Fix this two ways:
  - Only honor MFI_IOC_PASSTHRU32 if the binary has the SV_ILP32 flag set,
    otherwise treat it as an unknown ioctl.
  - Add a bounds check on the buffer length passed by the user.  For now
    it fails any user attempts to use a buffer larger than 1MB.
  
  While here, fix a few other nits:
  - Remove an unnecessary check for a NULL return from malloc(M_WAITOK).
  - Use the ENOTTY errno for invalid ioctl commands instead of ENOENT.

Modified:
  stable/9/sys/dev/mfi/mfi.c
Directory Properties:
  stable/9/sys/   (props changed)
  stable/9/sys/amd64/include/xen/   (props changed)
  stable/9/sys/boot/   (props changed)
  stable/9/sys/boot/i386/efi/   (props changed)
  stable/9/sys/boot/ia64/efi/   (props changed)
  stable/9/sys/boot/ia64/ski/   (props changed)
  stable/9/sys/boot/powerpc/boot1.chrp/   (props changed)
  stable/9/sys/boot/powerpc/ofw/   (props changed)
  stable/9/sys/cddl/contrib/opensolaris/   (props changed)
  stable/9/sys/conf/   (props changed)
  stable/9/sys/contrib/dev/acpica/   (props changed)
  stable/9/sys/contrib/octeon-sdk/   (props changed)
  stable/9/sys/contrib/pf/   (props changed)
  stable/9/sys/contrib/x86emu/   (props changed)
  stable/9/sys/dev/   (props changed)
  stable/9/sys/dev/e1000/   (props changed)
  stable/9/sys/dev/isp/   (props changed)
  stable/9/sys/dev/ixgbe/   (props changed)
  stable/9/sys/fs/   (props changed)
  stable/9/sys/fs/ntfs/   (props changed)
  stable/9/sys/modules/   (props changed)

Modified: stable/9/sys/dev/mfi/mfi.c
==============================================================================
--- stable/9/sys/dev/mfi/mfi.c	Wed Aug 29 16:58:51 2012	(r239865)
+++ stable/9/sys/dev/mfi/mfi.c	Wed Aug 29 17:36:12 2012	(r239866)
@@ -73,6 +73,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/uio.h>
 #include <sys/proc.h>
 #include <sys/signalvar.h>
+#include <sys/sysent.h>
 #include <sys/taskqueue.h>
 
 #include <machine/bus.h>
@@ -2832,10 +2833,9 @@ mfi_user_command(struct mfi_softc *sc, s
 
 
 	if (ioc->buf_size > 0) {
-		ioc_buf = malloc(ioc->buf_size, M_MFIBUF, M_WAITOK);
-		if (ioc_buf == NULL) {
+		if (ioc->buf_size > 1024 * 1024)
 			return (ENOMEM);
-		}
+		ioc_buf = malloc(ioc->buf_size, M_MFIBUF, M_WAITOK);
 		error = copyin(ioc->buf, ioc_buf, ioc->buf_size);
 		if (error) {
 			device_printf(sc->mfi_dev, "failed to copyin\n");
@@ -3244,6 +3244,10 @@ out:
 		}
 #ifdef COMPAT_FREEBSD32
 	case MFIIO_PASSTHRU32:
+		if (!SV_CURPROC_FLAG(SV_ILP32)) {
+			error = ENOTTY;
+			break;
+		}
 		iop_swab.ioc_frame	= iop32->ioc_frame;
 		iop_swab.buf_size	= iop32->buf_size;
 		iop_swab.buf		= PTRIN(iop32->buf);
@@ -3259,7 +3263,7 @@ out:
 		break;
 	default:
 		device_printf(sc->mfi_dev, "IOCTL 0x%lx not handled\n", cmd);
-		error = ENOENT;
+		error = ENOTTY;
 		break;
 	}