From nobody Tue May 21 17:53:56 2024
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VkMW90HwXz5LvBl;
	Tue, 21 May 2024 17:53:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VkMW85xK1z4rGj;
	Tue, 21 May 2024 17:53:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1716314036;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=FBkqCSTxQ4EYyGht9D3VaLG0TWlZ+qwNchLwL3YI91U=;
	b=mYVU16DmdzEEOvWHHaP2PArsI/daHRzc1rMIuEZFLAbXXOE/dvOa5FEXykDE0p5nb5rvbS
	st5IikH8f3vQ5cNX52J+jR5axYTLR6V6hOJqaSj4JYS/73zawHEHiaBGVxMTAWRCw8cXAT
	izvoXQnNE2M/z9N6j1aI1c/YpyhEtKy7a+zzlArKV2DbjCF65bFPv5FA7hAfOSfBnYCyAZ
	OxxqNIA5k21PZ+0SWcEOx80Iaz8qP/rcDDetwIGqu8BwCf2EDJNITzfaV8R30fx5dHfDWQ
	FLTAakZpEDD2IP+tJ7+TP52QkeCG3Z5FXP0qoTE0e4Ce9yr8Qm2CbEN2/BlsdQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716314036; a=rsa-sha256; cv=none;
	b=jYKC8VN2VW0nvO+FxgpSmavQVndGtGDq9XbqsydlIgxpE6EqV24GhDrtIXMaN4P0vYc2jE
	ruDIUMv3tcWdEll9y/9vfTy5pwrY6n/0mr14IatO0h8EnoJVvP7ZUgSAJsTC9zfERP1ZYi
	63TLZZrVP9VBHv/zizFjSzZwKUUCeHIMUIULWkUXm86I9yALAVlRIiOSxnswmi843MmKCr
	hcID6I+gz5Iocxitx9fgUKgHhhxPK69MQnzI5eyw1BNuLICuSHB0IDgEjFlfiSvB8oiH85
	V/5Hc7l7ZSlJeCVp05i6LfC4XHzY5JDzgJ3ixpT4Bzu7+mnqYt93IP3OSLSxww==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1716314036;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=FBkqCSTxQ4EYyGht9D3VaLG0TWlZ+qwNchLwL3YI91U=;
	b=e7niZbPh2dqdvfGIdrUDcIaeKu8dG/wjopUDWh632YjIp120lyvrhMQavs/XcytIsZnQwU
	KHjvKsXvh/2nRMmwy0Havpk+CNm+PvoF4K17pgQ0YvPlYIZpfDBMwBzDpftQDBTgv0R78B
	TwGT2HLdMY6b8vCoP1xpJ8ABsciUrbEVVfY3UVQy++6JoL50CewEA0N3sJ+CiwXLBQmIWv
	YrFVGJid0XmSQZMK6hkE/RPONiue0gCmryDGFuOQbPTxBfEVpDyoPsgafqwd2YjoLw8oR4
	cOYxJVZFk+vf14MBSVEKvfghlI2ne2L6T46HTlpCyK+A/o4vEVio7mRDYuBkKw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VkMW85Y7lzXdK;
	Tue, 21 May 2024 17:53:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44LHruGD021710;
	Tue, 21 May 2024 17:53:56 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44LHrunh021707;
	Tue, 21 May 2024 17:53:56 GMT
	(envelope-from git)
Date: Tue, 21 May 2024 17:53:56 GMT
Message-Id: <202405211753.44LHrunh021707@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Christos Margiolis <christos@FreeBSD.org>
Subject: git: 5830a00c2c54 - stable/14 - sound: Check user-supplied
  size passed to SNDSTIOC_ADD_USER_DEVS*
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: christos
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 5830a00c2c5485ec17900558e4f29c459c6a1f3e
Auto-Submitted: auto-generated

The branch stable/14 has been updated by christos:

URL: https://cgit.FreeBSD.org/src/commit/?id=5830a00c2c5485ec17900558e4f29c459c6a1f3e

commit 5830a00c2c5485ec17900558e4f29c459c6a1f3e
Author:     Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2024-05-20 14:18:28 +0000
Commit:     Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2024-05-21 17:45:49 +0000

    sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*
    
    SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes,
    however we currently do not check whether this size is actually valid,
    which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an
    invalid size. sndstat_add_user_devs() calls
    sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size.
    
    PR:             266142
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 day
    Reviewed by:    brooks
    Differential Revision:  https://reviews.freebsd.org/D45236
    
    (cherry picked from commit 074d337ad618f9cc2a1d5ab18b484928e57bd72b)
---
 sys/dev/sound/pcm/sndstat.c | 5 +++++
 sys/sys/sndstat.h           | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/sys/dev/sound/pcm/sndstat.c b/sys/dev/sound/pcm/sndstat.c
index edb33e92ade9..f310d8f3bff3 100644
--- a/sys/dev/sound/pcm/sndstat.c
+++ b/sys/dev/sound/pcm/sndstat.c
@@ -864,6 +864,11 @@ sndstat_add_user_devs(struct sndstat_file *pf, caddr_t data)
 		goto done;
 	}
 
+	if (arg->nbytes > SNDST_UNVLBUF_MAX) {
+		err = ENOMEM;
+		goto done;
+	}
+
 	err = sndstat_unpack_user_nvlbuf(arg->buf, arg->nbytes, &nvl);
 	if (err != 0)
 		goto done;
diff --git a/sys/sys/sndstat.h b/sys/sys/sndstat.h
index f0e4d352242f..8a49042b0453 100644
--- a/sys/sys/sndstat.h
+++ b/sys/sys/sndstat.h
@@ -74,6 +74,11 @@ struct sndstioc_nv_arg {
 #define SNDST_DSPS_SOUND4_PVCHAN	"pvchan"
 #define SNDST_DSPS_SOUND4_RVCHAN	"rvchan"
 
+/*
+ * Maximum user-specified nvlist buffer size
+ */
+#define SNDST_UNVLBUF_MAX		65535
+
 #define SNDSTIOC_REFRESH_DEVS \
 	_IO('D', 100)
 #define SNDSTIOC_GET_DEVS \