From nobody Mon Apr 4 16:24:36 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 178FD1A993A2; Mon, 4 Apr 2022 16:24:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KXGM904krz51WY; Mon, 4 Apr 2022 16:24:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649089477; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=msc7Ah00aYt6GUUvgkzCjAQTDZ+YBqLsYqhtU318LQM=; b=QiaNHvRnjd31x2MCKZ3yojMKcgkEw7cGbeN3ynPwC1Wymz+650p5npKWCaDWGREThMtSWL 6i16bvvS6WvFJUNzzJ63EFubVWmGC6M3TFQgsv29tSHnSpIyreO1H14ZYss/3AlE/708K7 JF2I8ns7aTVsI2fbGlwKoyZvB+ItEpM4HWMpxrAbL8+lifR6OEgrJEZD9mI4VbBNnBXWJK jvi8exeb3xQs0CIm2xx/lWvHFuo9j3D3BLbGusy7HMYm9IjLyEFRiW9dXPyejBl/rbN8YE IgN2hsZ5rekgzVKEBtfjbzbKDa+UCiNy6cThIUkEsaJvL/RA3XVrSVgsncDmVg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D7036153FD; Mon, 4 Apr 2022 16:24:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 234GOaZK021690; Mon, 4 Apr 2022 16:24:36 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 234GOaQl021689; Mon, 4 Apr 2022 16:24:36 GMT (envelope-from git) Date: Mon, 4 Apr 2022 16:24:36 GMT Message-Id: <202204041624.234GOaQl021689@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: aef190f298af - releng/13.1 - mpr/mps/mpt: verify cfg page ioctl lengths List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.1 X-Git-Reftype: branch X-Git-Commit: aef190f298af3659a7c9cf1c5d17934e6b26019f Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649089477; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=msc7Ah00aYt6GUUvgkzCjAQTDZ+YBqLsYqhtU318LQM=; b=SHGPtVYuU6A4x2//gGgivh3GOivAqrB5JnJ2dge3qz0WdJZTPgaEEXI0JovS1dcVyk0ErN EXGpq89NX71TDugB7iQVm3ursjvfmlcatOQKIOEcuw6M3FyKFDrW2uJxKFcqK8GFyhcWr3 40AjW/VY5RqIDkVfHoA1XgG5q/c2OmutOF6lN5t5RbMFC5ZdFrGUAkfdDB8vcsfgT1oFdR IiZU3PbEm9QUr+jZmaKE1iSBtVsFqJwwC7XloYhKzZRbGxKYzOEtkncffCQ911J0V56aaj uEGQnzIMennAb7zIpVqY5E43BIsnrlrHY052r3hOM8aaU36y9/0XYxrwMNR0YQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649089477; a=rsa-sha256; cv=none; b=dNL75rKADYcWj/SFMYbbj6BfBAQoVJ8B7L6ukl4ySJZqWccJoS0CNkQholYSmAdPGhDcEu kezRBfRSrmk42snnqqLvZCbSWwI8ccl+RTdzzUlYZ7s8OdvRHDwsh2mZQztU7BEr8LS2Ec G4Kh2PqtyrzY/ORNGiQvIOWY801wENuqPKZlPILg+1bLGq75hK/u1hJbdrcsO1HjN34G8v B9cY+UymzYdoViFpwkZBHM2j7MIkSoTlJfYIIP3X1FISyvv4Y6Ss8VTE0W8BUtSCHCmsPd 1rRIjjuCocfjgQiSu6euOsjxxKMC6Iof7Pw1104SKX/QCfWh2iYj4gErcbKNvQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/13.1 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=aef190f298af3659a7c9cf1c5d17934e6b26019f commit aef190f298af3659a7c9cf1c5d17934e6b26019f Author: Ed Maste AuthorDate: 2022-03-28 13:33:54 +0000 Commit: Ed Maste CommitDate: 2022-04-04 16:24:05 +0000 mpr/mps/mpt: verify cfg page ioctl lengths *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 (cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087) (cherry picked from commit 0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb) Approved by: re (gjb) --- sys/dev/mpr/mpr_user.c | 13 +++++++++++++ sys/dev/mps/mps_user.c | 13 +++++++++++++ sys/dev/mpt/mpt_user.c | 13 +++++++++++++ 3 files changed, 39 insertions(+) diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index cab865e2e535..08c2b8b39244 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -2266,6 +2266,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mpr_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2284,6 +2288,11 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(ext_page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(ext_page_req->buf, mpr_page, @@ -2298,6 +2307,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mpr_page, ext_page_req->buf, ext_page_req->len); break; case MPRIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mpr_page, page_req->len); if (error) diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index 9d4aab54562f..a16201cde131 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -2168,6 +2168,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mps_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2186,6 +2190,11 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(ext_page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(ext_page_req->buf, mps_page, sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)); @@ -2199,6 +2208,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mps_page, ext_page_req->buf, ext_page_req->len); break; case MPSIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mps_page, page_req->len); if (error) diff --git a/sys/dev/mpt/mpt_user.c b/sys/dev/mpt/mpt_user.c index cf339387c10e..10d5bac15d49 100644 --- a/sys/dev/mpt/mpt_user.c +++ b/sys/dev/mpt/mpt_user.c @@ -672,6 +672,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_CFG_PAGE32: #endif case MPTIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break; @@ -698,6 +702,11 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_EXT_CFG_PAGE32: #endif case MPTIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, ext_page_req->len); if (error) break; @@ -717,6 +726,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_WRITE_CFG_PAGE32: #endif case MPTIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break;