From nobody Sat May 2 16:50:46 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g7DS71JPdz6cHHC for ; Sat, 02 May 2026 16:50:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g7DS70RRvz3WGH for ; Sat, 02 May 2026 16:50:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777740647; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JEUl1rzEjg4zN49eqNMY6bIytH99QkcvAqzB00/ErFI=; b=iqx/mBdmAaBUviAbHw2f7sPUHeA+3XjY9Ql4y78SXCskRIwkNtFAbtPUZNwlqeJm39JXCc 548urgLUK0XeKxk08gP70l+EuUJ7fQ8vvn7bxOP6oYY8x5EBB2R4YPWtKzsSdtcOZpEoJd wmNBI0IBEzfYdQ80rQIfCTLM63jsffuYpPQoF2HKRPZ5pv+1WHpL8SsVkGox/sW2rEQs6e Ut2bWa9v49IAy4l7lyQebfWE8doQYKNIWdm3VAUpPSseeeIxDZPsZKB4WtCGMFDQeaK6LX zBkcBkZ9WiQ6Z7JsPUr/lfeeVldQsfeM+hHBQ+nM3ZhTkRwRyBH10Y69ExVOWg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777740647; a=rsa-sha256; cv=none; b=WsgijA6L0eVSqe2WSWur/F4Ae8Ly+Zm/lGYiwuyaeB53WSDyrXuYQTEHzuRjjsTXXB6Tw9 D1cwL3dUAdnsaNa0z7d/qWQIgFYIcf1VA7AqmYj3G2gq93saR6AyxlSOCTS5ujGay3L8IT wnm/4U1nxtYnGxx0kAjERf0E6rTDA14SEDNVw7QgvXLGu0uILn7g3K1cNbMjR9sZFB921H aqYl3cRxyIk82nKaZ3XCBVmI6VhjTKWKFSFE/pmotGcX5DS7hj/Gwjc/80tz6HMgnT1iIz PEFlKfu7VvismJgZv6bSMeTzdPeBezUvSGGxjdH+AsfiFAuyE6CM760TvZOGqQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777740647; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JEUl1rzEjg4zN49eqNMY6bIytH99QkcvAqzB00/ErFI=; b=x8Cvlu+0oQjcNMIVpCviQXE3iNKbWxjd1mSn8tXxv4QMEfILb7l7HQeRbzURCkeUmEgVPh KDmLiIc1MmD7sReHkaR/73syItaYlFBuCpy2eJd028OQIYWBuZPhWXSwOKtiObHj6X9Ivb 98bGzyaPGs0Grvl7hEJ62BkZtBrQYl2OD/zcATvVR6/ObdeC7hQVr1pAESNa1fntnQy0r+ aYeYNNXZoYbY4U8NVNBBniJpzZARXoDcyJqh2wZ/m8LmHyzhdDQvDGOIA95sog4/3DIoxD fTg0/KSd8kpt4SJhTiqs69JnqoOsD+0lDdsurq8GEZT0xozsfVPfWNw955ivXQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g7DS66mrYztgK for ; Sat, 02 May 2026 16:50:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 23e7e by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sat, 02 May 2026 16:50:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 6f8312bdff23 - main - ctl_ioctl_frontend: Reject out-of-range initiator IDs List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6f8312bdff236ad64d1c15c239051359d8245a68 Auto-Submitted: auto-generated Date: Sat, 02 May 2026 16:50:46 +0000 Message-Id: <69f62b66.23e7e.78811af8@gitrepo.freebsd.org> The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=6f8312bdff236ad64d1c15c239051359d8245a68 commit 6f8312bdff236ad64d1c15c239051359d8245a68 Author: John Baldwin AuthorDate: 2026-05-02 16:43:29 +0000 Commit: John Baldwin CommitDate: 2026-05-02 16:43:29 +0000 ctl_ioctl_frontend: Reject out-of-range initiator IDs Various places in CTL assume that initiator IDs are not larger than CTL_MAX_INIT_PER_PORT. Other IDs such as lun IDs are validated in places such as ctl_scsiio_precheck, but initiator IDs submitted by userland were not previously validated. PR: 291059 Reported by: Hans Rosenfeld Reviewed by: asomers Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D56628 --- sys/cam/ctl/ctl_frontend_ioctl.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/sys/cam/ctl/ctl_frontend_ioctl.c b/sys/cam/ctl/ctl_frontend_ioctl.c index 3449154afb38..4b82552ec21f 100644 --- a/sys/cam/ctl/ctl_frontend_ioctl.c +++ b/sys/cam/ctl/ctl_frontend_ioctl.c @@ -588,7 +588,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag, struct thread *td) { struct cfi_port *cfi; - union ctl_io *io; + union ctl_io *io, *user_io; void *pool_tmp, *sc_tmp; int retval = 0; @@ -606,6 +606,11 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag, if ((cfi->port.status & CTL_PORT_STATUS_ONLINE) == 0) return (EPERM); + /* Reject out-of-range initiator IDs. */ + user_io = (void *)addr; + if (user_io->io_hdr.nexus.initid >= CTL_MAX_INIT_PER_PORT) + return (EINVAL); + io = ctl_alloc_io(cfi->port.ctl_pool_ref); /* @@ -614,7 +619,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag, */ pool_tmp = io->io_hdr.pool; sc_tmp = CTL_SOFTC(io); - memcpy(io, (void *)addr, sizeof(*io)); + memcpy(io, user_io, sizeof(*io)); io->io_hdr.pool = pool_tmp; CTL_SOFTC(io) = sc_tmp; TAILQ_INIT(&io->io_hdr.blocked_queue); @@ -636,7 +641,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag, retval = cfi_submit_wait(io); if (retval == 0) - memcpy((void *)addr, io, sizeof(*io)); + memcpy(user_io, io, sizeof(*io)); ctl_free_io(io); return (retval);