From nobody Thu Mar 2 20:32:00 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PSN7N4KFXz3wDw3; Thu, 2 Mar 2023 20:32:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PSN7N3tkmz3tBL; Thu, 2 Mar 2023 20:32:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677789120; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2l+/t9M5FY5MEeXaQvP28p4vE5r0rgxfH+fvVZ9xGGY=; b=U//K9kVvC2e+QboLW0f+xhy5XKwU+FPKBVO/qrCdDRgV081d2krTEYJfypK3FkWBR8oa4y ASBU3nk7uiIT3oEg97dhLTYZzHIlijDFNWgV36Ugd969MdnXyX1yugL+QgX4gn5ddW0dqR HY47ap5HNTpX6t+ButiJCEcTXY1SWdzpbZ3zopkB5WzI9JmmEpw3XmMOhtjVoSXHrdDt7G WrLMXMu0N2LdfBgwLE9w4x5DSqyAq3bgHtHGOcNP6dMAPTCAY1DT0whvsdRwXxwq8E0M/a rawoVVPY+DMXooVKKvDnqgMfJ5CFIKaD7rQpEI80J+eTvRLGd344KGlBYLPvPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677789120; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2l+/t9M5FY5MEeXaQvP28p4vE5r0rgxfH+fvVZ9xGGY=; b=w7ul0NFJiPJscVz4n5oXX1PcTV9o9H1WxgSGOkNoWJM6uDUhJYGna4Kj1cYdSHF8ST8UjH p1J9z/EcraadD+7friP9nryOGSFbhgYuAiYoOYmuymjZc8GtOvLtNM2vdlIl8lL0eIZE3M Gq4rDXin2tn1VCMT/7xLQ4jDtdQfB2gV0hacG9RfJ7ez1SaTOU30Sj/lBsiMmM4wplVLID CQAzyexot9tN1iLplETlEgVgg2JumTaggMysdTtQzXiHUuKN7OOwrob3sb88N7AstTMdAC DVWRu8Ry0n1jf7WEz7fGhiZ83iBLXQ0gh7YfkPtWnot4M++6sdqeyn+zqji53w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677789120; a=rsa-sha256; cv=none; b=OMD6YkzeUUkhyuOlr2aa6IjJeIDzsglyz4fgg9qLbCmWejXL5WZATHZ7qEw9vvvgGD3aHJ GOIWINDFCGqeiKqeQCFCPWNG74RFKgXJ8q0B7P5Pm3N1KVL1vJ8HFuAyk9Jfp7j6MbXeCM r8re6Lsph8zAo0kRCk6qT7YyAEyk9NGMBBgkYtYwX82PzlptKeYhBCrdy+YuHx+UBpZ4IM vNz8HvhrJQcrbbwmrmoX2OJR829dEwNf7RgQLc7oKoxWmSiN/HTnwxaeMSjxQUIS2/RV7T kWIIHJg8y1Pje0pmWCza4Y/UTHXAugbtQeHFKaYtOoPKF2i+BRM4jvZi87aNBQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PSN7N2yLpzVnB; Thu, 2 Mar 2023 20:32:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 322KW0AT063304; Thu, 2 Mar 2023 20:32:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 322KW0qM063303; Thu, 2 Mar 2023 20:32:00 GMT (envelope-from git) Date: Thu, 2 Mar 2023 20:32:00 GMT Message-Id: <202303022032.322KW0qM063303@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Alan Somers Subject: git: 72aad3f9028a - main - Fix kernel memory disclosures in mpr and mps List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: asomers X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 72aad3f9028af12e6c56a3a461b46a153abd7b24 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by asomers: URL: https://cgit.FreeBSD.org/src/commit/?id=72aad3f9028af12e6c56a3a461b46a153abd7b24 commit 72aad3f9028af12e6c56a3a461b46a153abd7b24 Author: Alan Somers AuthorDate: 2023-03-01 18:53:46 +0000 Commit: Alan Somers CommitDate: 2023-03-02 20:31:06 +0000 Fix kernel memory disclosures in mpr and mps In every mpr and mps ioctl that copies kernel data to userland, validate that the requested length does not exceed the size of the kernel's buffer. Note that all of these ioctls already required root access. MFC after: 2 weeks Sponsored by: Axcient Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D38842 --- sys/dev/mpr/mpr_user.c | 7 ++++--- sys/dev/mps/mps_user.c | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index d04aaa24ea0b..5b5c11dd4a65 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -863,7 +863,7 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) } mpr_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mpr_lock(sc); } mprsas_free_tm(sc, cm); @@ -1087,7 +1087,8 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) data->ReplySize, sz); } mpr_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mpr_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -2065,7 +2066,7 @@ mpr_user_event_report(struct mpr_softc *sc, mpr_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mpr_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mpr_lock(sc); } else { diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index cdab4d4cd841..9d6aeedafdea 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -862,7 +862,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) } mps_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mps_lock(sc); } mpssas_free_tm(sc, cm); @@ -1015,7 +1015,8 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) data->ReplySize, sz); } mps_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mps_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -1955,7 +1956,7 @@ mps_user_event_report(struct mps_softc *sc, mps_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mps_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mps_lock(sc); } else {