From owner-svn-src-stable@freebsd.org Wed Jul 3 17:34:27 2019 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9478A15DB30C; Wed, 3 Jul 2019 17:34:27 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33C4F862D0; Wed, 3 Jul 2019 17:34:27 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0011FF10F; Wed, 3 Jul 2019 17:34:26 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x63HYQl8002870; Wed, 3 Jul 2019 17:34:26 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x63HYQL2002869; Wed, 3 Jul 2019 17:34:26 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201907031734.x63HYQL2002869@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Wed, 3 Jul 2019 17:34:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r349657 - stable/12/sys/dev/nand X-SVN-Group: stable-12 X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: stable/12/sys/dev/nand X-SVN-Commit-Revision: 349657 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 33C4F862D0 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_SHORT(-0.98)[-0.975,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 17:34:27 -0000 Author: emaste Date: Wed Jul 3 17:34:26 2019 New Revision: 349657 URL: https://svnweb.freebsd.org/changeset/base/349657 Log: MFC r349268: nandsim: correct test to avoid out-of-bounds access Previously nandsim_chip_status returned EINVAL iff both of user-provided chip->ctrl_num and chip->num were out of bounds. If only one failed the bounds check arbitrary memory would be read and returned. The NAND framework is not built by default, nandsim is not intended for production use (it is a simulator), and the nandsim device has root-only permissions. admbugs: 827 Reported by: Daniel Hodson of elttam Security: kernel information leak or DoS Sponsored by: The FreeBSD Foundation Modified: stable/12/sys/dev/nand/nandsim.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/dev/nand/nandsim.c ============================================================================== --- stable/12/sys/dev/nand/nandsim.c Wed Jul 3 17:24:24 2019 (r349656) +++ stable/12/sys/dev/nand/nandsim.c Wed Jul 3 17:34:26 2019 (r349657) @@ -295,7 +295,7 @@ nandsim_chip_status(struct sim_chip *chip) nand_debug(NDBG_SIM,"status for chip num:%d at ctrl:%d", chip->num, chip->ctrl_num); - if (chip->ctrl_num >= MAX_SIM_DEV && + if (chip->ctrl_num >= MAX_SIM_DEV || chip->num >= MAX_CTRL_CS) return (EINVAL);