From owner-svn-src-stable@freebsd.org Wed Jul 3 17:35:24 2019 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1EB615DB37A; Wed, 3 Jul 2019 17:35:24 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 680FC86410; Wed, 3 Jul 2019 17:35:24 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 42734F110; Wed, 3 Jul 2019 17:35:24 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x63HZOEd002974; Wed, 3 Jul 2019 17:35:24 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x63HZO5a002973; Wed, 3 Jul 2019 17:35:24 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201907031735.x63HZO5a002973@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Wed, 3 Jul 2019 17:35:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r349658 - stable/11/sys/dev/nand X-SVN-Group: stable-11 X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: stable/11/sys/dev/nand X-SVN-Commit-Revision: 349658 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 680FC86410 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.98)[-0.975,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 17:35:24 -0000 Author: emaste Date: Wed Jul 3 17:35:23 2019 New Revision: 349658 URL: https://svnweb.freebsd.org/changeset/base/349658 Log: MFC r349268: nandsim: correct test to avoid out-of-bounds access Previously nandsim_chip_status returned EINVAL iff both of user-provided chip->ctrl_num and chip->num were out of bounds. If only one failed the bounds check arbitrary memory would be read and returned. The NAND framework is not built by default, nandsim is not intended for production use (it is a simulator), and the nandsim device has root-only permissions. admbugs: 827 Reported by: Daniel Hodson of elttam Security: kernel information leak or DoS Sponsored by: The FreeBSD Foundation Modified: stable/11/sys/dev/nand/nandsim.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/nand/nandsim.c ============================================================================== --- stable/11/sys/dev/nand/nandsim.c Wed Jul 3 17:34:26 2019 (r349657) +++ stable/11/sys/dev/nand/nandsim.c Wed Jul 3 17:35:23 2019 (r349658) @@ -293,7 +293,7 @@ nandsim_chip_status(struct sim_chip *chip) nand_debug(NDBG_SIM,"status for chip num:%d at ctrl:%d", chip->num, chip->ctrl_num); - if (chip->ctrl_num >= MAX_SIM_DEV && + if (chip->ctrl_num >= MAX_SIM_DEV || chip->num >= MAX_CTRL_CS) return (EINVAL);