From owner-svn-src-all@freebsd.org Thu Sep 6 14:03:11 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5EF12FFC381; Thu, 6 Sep 2018 14:03:11 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0CBF4785AA; Thu, 6 Sep 2018 14:03:11 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 056F96099; Thu, 6 Sep 2018 14:03:11 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w86E3A7g097916; Thu, 6 Sep 2018 14:03:10 GMT (envelope-from mav@FreeBSD.org) Received: (from mav@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w86E3AUm097915; Thu, 6 Sep 2018 14:03:10 GMT (envelope-from mav@FreeBSD.org) Message-Id: <201809061403.w86E3AUm097915@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mav set sender to mav@FreeBSD.org using -f From: Alexander Motin Date: Thu, 6 Sep 2018 14:03:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338494 - head/sys/cam/ctl X-SVN-Group: head X-SVN-Commit-Author: mav X-SVN-Commit-Paths: head/sys/cam/ctl X-SVN-Commit-Revision: 338494 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2018 14:03:11 -0000 Author: mav Date: Thu Sep 6 14:03:10 2018 New Revision: 338494 URL: https://svnweb.freebsd.org/changeset/base/338494 Log: Add missing copyin() to access LUN and port ioctl arguments. Somehow this was working even after PTI in, at least on amd64, and got broken by something only very recently. Reviewed by: araujo Approved by: re (gjb) Modified: head/sys/cam/ctl/ctl.c Modified: head/sys/cam/ctl/ctl.c ============================================================================== --- head/sys/cam/ctl/ctl.c Thu Sep 6 12:41:09 2018 (r338493) +++ head/sys/cam/ctl/ctl.c Thu Sep 6 14:03:10 2018 (r338494) @@ -2943,8 +2943,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, } if (lun_req->args != NULL) { - lun_req->args_nvl = nvlist_unpack(lun_req->args, + packed = malloc(lun_req->args_len, M_CTL, M_WAITOK); + if (copyin(lun_req->args, packed, lun_req->args_len) != 0) { + free(packed, M_CTL); + lun_req->status = CTL_LUN_ERROR; + snprintf(lun_req->error_str, sizeof(lun_req->error_str), + "Cannot copyin args."); + break; + } + lun_req->args_nvl = nvlist_unpack(packed, lun_req->args_len, 0); + free(packed, M_CTL); if (lun_req->args_nvl == NULL) { lun_req->status = CTL_LUN_ERROR; @@ -3211,8 +3220,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, } if (req->args != NULL) { - req->args_nvl = nvlist_unpack(req->args, + packed = malloc(req->args_len, M_CTL, M_WAITOK); + if (copyin(req->args, packed, req->args_len) != 0) { + free(packed, M_CTL); + req->status = CTL_LUN_ERROR; + snprintf(req->error_str, sizeof(req->error_str), + "Cannot copyin args."); + break; + } + req->args_nvl = nvlist_unpack(packed, req->args_len, 0); + free(packed, M_CTL); if (req->args_nvl == NULL) { req->status = CTL_LUN_ERROR;