Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 02 May 2026 16:50:46 +0000
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 6f8312bdff23 - main - ctl_ioctl_frontend: Reject out-of-range initiator IDs
Message-ID:  <69f62b66.23e7e.78811af8@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=6f8312bdff236ad64d1c15c239051359d8245a68

commit 6f8312bdff236ad64d1c15c239051359d8245a68
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2026-05-02 16:43:29 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2026-05-02 16:43:29 +0000

    ctl_ioctl_frontend: Reject out-of-range initiator IDs
    
    Various places in CTL assume that initiator IDs are not larger than
    CTL_MAX_INIT_PER_PORT.  Other IDs such as lun IDs are validated in
    places such as ctl_scsiio_precheck, but initiator IDs submitted by
    userland were not previously validated.
    
    PR:             291059
    Reported by:    Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
    Reviewed by:    asomers
    Sponsored by:   Chelsio Communications
    Differential Revision:  https://reviews.freebsd.org/D56628
---
 sys/cam/ctl/ctl_frontend_ioctl.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sys/cam/ctl/ctl_frontend_ioctl.c b/sys/cam/ctl/ctl_frontend_ioctl.c
index 3449154afb38..4b82552ec21f 100644
--- a/sys/cam/ctl/ctl_frontend_ioctl.c
+++ b/sys/cam/ctl/ctl_frontend_ioctl.c
@@ -588,7 +588,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
     struct thread *td)
 {
 	struct cfi_port *cfi;
-	union ctl_io *io;
+	union ctl_io *io, *user_io;
 	void *pool_tmp, *sc_tmp;
 	int retval = 0;
 
@@ -606,6 +606,11 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 	if ((cfi->port.status & CTL_PORT_STATUS_ONLINE) == 0)
 		return (EPERM);
 
+	/* Reject out-of-range initiator IDs. */
+	user_io = (void *)addr;
+	if (user_io->io_hdr.nexus.initid >= CTL_MAX_INIT_PER_PORT)
+		return (EINVAL);
+
 	io = ctl_alloc_io(cfi->port.ctl_pool_ref);
 
 	/*
@@ -614,7 +619,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 	 */
 	pool_tmp = io->io_hdr.pool;
 	sc_tmp = CTL_SOFTC(io);
-	memcpy(io, (void *)addr, sizeof(*io));
+	memcpy(io, user_io, sizeof(*io));
 	io->io_hdr.pool = pool_tmp;
 	CTL_SOFTC(io) = sc_tmp;
 	TAILQ_INIT(&io->io_hdr.blocked_queue);
@@ -636,7 +641,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 
 	retval = cfi_submit_wait(io);
 	if (retval == 0)
-		memcpy((void *)addr, io, sizeof(*io));
+		memcpy(user_io, io, sizeof(*io));
 
 	ctl_free_io(io);
 	return (retval);
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f62b66.23e7e.78811af8>