From nobody Wed Apr 6 03:04:49 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E732F1A84E6C; Wed, 6 Apr 2022 03:04:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY8WP361lz4f2t; Wed, 6 Apr 2022 03:04:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TtKl5Iv9QS/q5Tenude1DsLPgdt8cFcX1ieRhfcpTIk=; b=XFc1mkF+5LbeNv7RuCxkF2dlcXnjz6AqLWXjaxmEY8Ug9jVVQwzjcEo0AQugOmyAYikZcJ wVZq+2TMJzp/eE3o5zsrgGfCV+Hxpta5DQTv45k4SiHfTUyS1X3oQObFpJrrFvKxKIhJ4a 3eTkG4d8yVZAaXInYB4Vi59VhkxFZUeVT8g/G6GqxxTyLCknKh0l4ia0vktwkO/VKY9iR1 EdMGIp7Yi+mfPyludoRI/iDPjmklcMdBjnhVks+VU5mDvZDWvJ6fVbEw5CRRd7mJPp2Zn/ HJT14URudaBcP+01C/x6FL3IXkUdzgcVLxoehxKyAdUCN1uyEtlhnyYE+keZQQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 30145133B8; Wed, 6 Apr 2022 03:04:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23634nx3035178; Wed, 6 Apr 2022 03:04:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23634nfE035177; Wed, 6 Apr 2022 03:04:49 GMT (envelope-from git) Date: Wed, 6 Apr 2022 03:04:49 GMT Message-Id: <202204060304.23634nfE035177@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: c4c1d79338a3 - releng/12.3 - mpr/mps/mpt: verify cfg page ioctl lengths List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/12.3 X-Git-Reftype: branch X-Git-Commit: c4c1d79338a30d6dcc0fa0cf6d65f1f0bc7a101c Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TtKl5Iv9QS/q5Tenude1DsLPgdt8cFcX1ieRhfcpTIk=; b=Cf4Zw9LHOI2tV7v/LY8pN+btdbjB/+Dfx2A5aL7kOKoWhQatyj37ClYxT5If0SmSpKKMXk aVXXhg2UucGjpAiTMOwgIg5Qy8T4ZVmVfLNQMb/wS2cIUhNVqaNmoOw4oYEIVEIO7LOL5A FH819rX152jLc6+i3izT5DGtncv2eVmMPTspGaSYN8dkaf6ZGUp4dfEU7Y3NKK3pLiR/Bo gPbkFvKDDHS2tsSkI8G0UKYvM25jTI2nWoag6j4T4B0yZ6PjgFrPfBb8wE72DIN+nTp7d7 FbZeAZwIDXZ58nQma0+umXpQZQQon6InwJXnlGiZIGUyypxrW/Pfy3NxU3XAcQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649214289; a=rsa-sha256; cv=none; b=shuQ7s6gkPr1GbVKOqDHhzag7hqWNEsLq2vACOcm4kvSCLWhaalzkrzLdWxUTHKWoGVV4j LjjJD/l5F6ZHq1TqJQLmHU4tfdARY5scmJAe8BZllfwTEgazw7qaUUFeqDdqZU+B7tewYX X3w9VULZEOjCSOIjelStQ3wt/p0Q/fMANr7tf7urF5enBMXrUzYYZIQ+mIAg1MlScK0+6R UbX4Cc8h/6Iv5JTb7nF+HWss+HQDg8XxAtIgwuz1a9aKGksv39NJJeUgOT+nOD4vnfpZwr LzAen70GwA+HuLgHR99oU6N07DooAth7wolmHNG7i56MyN3RIL8EYuesNTfU9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/12.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=c4c1d79338a30d6dcc0fa0cf6d65f1f0bc7a101c commit c4c1d79338a30d6dcc0fa0cf6d65f1f0bc7a101c Author: Ed Maste AuthorDate: 2022-04-05 23:21:30 +0000 Commit: Ed Maste CommitDate: 2022-04-05 23:29:20 +0000 mpr/mps/mpt: verify cfg page ioctl lengths *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 (cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087) (cherry picked from commit 56d0638c738e3f9b7fbc7f78bd49590523e01ada) Approved by: so Security: CVE-2022-23086 Security: FreeBSD-SA-22:06.ioctl --- sys/dev/mpr/mpr_user.c | 13 +++++++++++++ sys/dev/mps/mps_user.c | 13 +++++++++++++ sys/dev/mpt/mpt_user.c | 13 +++++++++++++ 3 files changed, 39 insertions(+) diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index 3995d01154f7..53b3f94ea152 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -2272,6 +2272,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mpr_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2290,6 +2294,11 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mpr_unlock(sc); break; case MPRIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(ext_page_req->len, M_MPRUSER, M_WAITOK | M_ZERO); error = copyin(ext_page_req->buf, mpr_page, @@ -2304,6 +2313,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mpr_page, ext_page_req->buf, ext_page_req->len); break; case MPRIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mpr_page, page_req->len); if (error) diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index ab4d1d2d86f3..e7e376288961 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -2175,6 +2175,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK | M_ZERO); error = copyin(page_req->buf, mps_page, sizeof(MPI2_CONFIG_PAGE_HEADER)); @@ -2193,6 +2197,11 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, mps_unlock(sc); break; case MPSIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(ext_page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(ext_page_req->buf, mps_page, sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)); @@ -2206,6 +2215,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag, error = copyout(mps_page, ext_page_req->buf, ext_page_req->len); break; case MPSIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK|M_ZERO); error = copyin(page_req->buf, mps_page, page_req->len); if (error) diff --git a/sys/dev/mpt/mpt_user.c b/sys/dev/mpt/mpt_user.c index 80fef9e491bf..cc5a914ef90f 100644 --- a/sys/dev/mpt/mpt_user.c +++ b/sys/dev/mpt/mpt_user.c @@ -672,6 +672,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_CFG_PAGE32: #endif case MPTIO_READ_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break; @@ -698,6 +702,11 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_READ_EXT_CFG_PAGE32: #endif case MPTIO_READ_EXT_CFG_PAGE: + if (ext_page_req->len < + (int)sizeof(CONFIG_EXTENDED_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, ext_page_req->len); if (error) break; @@ -717,6 +726,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td case MPTIO_WRITE_CFG_PAGE32: #endif case MPTIO_WRITE_CFG_PAGE: + if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) { + error = EINVAL; + break; + } error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len); if (error) break;