From nobody Sat May  2 16:50:46 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g7DSD4TLzz6cHDW
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Sat, 02 May 2026 16:50:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g7DSD1Nvlz3WB9
	for <dev-commits-src-all@FreeBSD.org>; Sat, 02 May 2026 16:50:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1777740652;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JEUl1rzEjg4zN49eqNMY6bIytH99QkcvAqzB00/ErFI=;
	b=ZpdaV0H2ODRbTv1KC3JRXvztQ+D4/1VwoOcnOfWJ6ukrf5LrKMd+hGMN/vtHnQh4QFC99A
	LkPQAn2ofsEwR1+bCqYwyGvaBIIrk5p9boqYBEyGqaBA9bNcb7IrTmQX49lKSmamlKM51U
	sdDc5utyjH5KwDO5Py3FGfvBPJLaTszP9qHFbyjNVCQ41NmabqxIekBW6gDzeqHoMsyt6j
	HZHIbO7pOkfE8i8OE++BILa+aJnjxCVOGpK9ZLnv1gG/b8W1DdYVj0c2eODSnY4sAb7dJg
	pzWmzx6rD3GkRnO6Ys9AHfZ/5zeeAVZ4gjrgxnwN922ETQHPbrixMLpA1gJ5pw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777740652; a=rsa-sha256; cv=none;
	b=nC82DLYKev/n8+yXKEiz+wNk9P2yNA5hnZ/9xuzX2vKdBVqLoDRn38ypEjGViJ2zIcspxI
	0hs0aK3+yiE3PvXaZhn+Tdq4Si9knaentYRvHFZrJ+WtsCNsTvCMFRaOi2nOh0musqry8u
	ShYFjQPRpUP4h3uqUk+3PcCHzORhJYwYqZn0ouAt7Fh/JH7KnAYLMkWch/YBlXViOMblM+
	plWA4erVJdyjlMyHQjIxoXhn1SoaJr5PKK0zRMRwsFoQlbL9LAtnGSUecWzm4I8ZQlmvIR
	mnxktn/hxy0puMSpNxn2lUrCsmh6IS3AWP3OmfxwHwJJCJEYWLEgtt4eNmcjYg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1777740652;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JEUl1rzEjg4zN49eqNMY6bIytH99QkcvAqzB00/ErFI=;
	b=omOCFJUA5R3IcCGz12kex9gX7Hjj7L9tmHamYCqlMjcAOxJo1Da7VmfKcwGEmGV72vRYxa
	Qs9uACsphmIHXB5A5YvoKwm5PZE0Vwu9uDZJpN0dauVoRiXQ2Z6retFKN8sVi5x+id3hIr
	n96PVUKIeoqxpyoJqax9iE2WBp+mnEex/tZHw/5uYMpdEFl/1DYkRLtvEla3h1xNCxyy2r
	EJ1KF4JMlGEcc3e+mK94Hv5/074w05hiasgrWqYSnQqznOU5iU3FVQGPrgkkyyi1fhoY0j
	VybpURQEHoZ3UUqiyA5FRm2J+jVkUlARvrSk+Dw30h9EnYSgSgNiLfOvj0Lthg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g7DSD0W50ztgP
	for <dev-commits-src-all@FreeBSD.org>; Sat, 02 May 2026 16:50:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 23e7e
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sat, 02 May 2026 16:50:46 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 6f8312bdff23 - main - ctl_ioctl_frontend: Reject out-of-range initiator IDs
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 6f8312bdff236ad64d1c15c239051359d8245a68
Auto-Submitted: auto-generated
Date: Sat, 02 May 2026 16:50:46 +0000
Message-Id: <69f62b66.23e7e.78811af8@gitrepo.freebsd.org>

The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=6f8312bdff236ad64d1c15c239051359d8245a68

commit 6f8312bdff236ad64d1c15c239051359d8245a68
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2026-05-02 16:43:29 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2026-05-02 16:43:29 +0000

    ctl_ioctl_frontend: Reject out-of-range initiator IDs
    
    Various places in CTL assume that initiator IDs are not larger than
    CTL_MAX_INIT_PER_PORT.  Other IDs such as lun IDs are validated in
    places such as ctl_scsiio_precheck, but initiator IDs submitted by
    userland were not previously validated.
    
    PR:             291059
    Reported by:    Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
    Reviewed by:    asomers
    Sponsored by:   Chelsio Communications
    Differential Revision:  https://reviews.freebsd.org/D56628
---
 sys/cam/ctl/ctl_frontend_ioctl.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sys/cam/ctl/ctl_frontend_ioctl.c b/sys/cam/ctl/ctl_frontend_ioctl.c
index 3449154afb38..4b82552ec21f 100644
--- a/sys/cam/ctl/ctl_frontend_ioctl.c
+++ b/sys/cam/ctl/ctl_frontend_ioctl.c
@@ -588,7 +588,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
     struct thread *td)
 {
 	struct cfi_port *cfi;
-	union ctl_io *io;
+	union ctl_io *io, *user_io;
 	void *pool_tmp, *sc_tmp;
 	int retval = 0;
 
@@ -606,6 +606,11 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 	if ((cfi->port.status & CTL_PORT_STATUS_ONLINE) == 0)
 		return (EPERM);
 
+	/* Reject out-of-range initiator IDs. */
+	user_io = (void *)addr;
+	if (user_io->io_hdr.nexus.initid >= CTL_MAX_INIT_PER_PORT)
+		return (EINVAL);
+
 	io = ctl_alloc_io(cfi->port.ctl_pool_ref);
 
 	/*
@@ -614,7 +619,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 	 */
 	pool_tmp = io->io_hdr.pool;
 	sc_tmp = CTL_SOFTC(io);
-	memcpy(io, (void *)addr, sizeof(*io));
+	memcpy(io, user_io, sizeof(*io));
 	io->io_hdr.pool = pool_tmp;
 	CTL_SOFTC(io) = sc_tmp;
 	TAILQ_INIT(&io->io_hdr.blocked_queue);
@@ -636,7 +641,7 @@ ctl_ioctl_io(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 
 	retval = cfi_submit_wait(io);
 	if (retval == 0)
-		memcpy((void *)addr, io, sizeof(*io));
+		memcpy(user_io, io, sizeof(*io));
 
 	ctl_free_io(io);
 	return (retval);