From owner-svn-src-head@freebsd.org Tue Mar 13 20:39:07 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E24DF4E9D2; Tue, 13 Mar 2018 20:39:07 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0FF7374842; Tue, 13 Mar 2018 20:39:07 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0859F1EA63; Tue, 13 Mar 2018 20:39:07 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2DKd62j034861; Tue, 13 Mar 2018 20:39:06 GMT (envelope-from brooks@FreeBSD.org) Received: (from brooks@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2DKd6r2034860; Tue, 13 Mar 2018 20:39:06 GMT (envelope-from brooks@FreeBSD.org) Message-Id: <201803132039.w2DKd6r2034860@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brooks set sender to brooks@FreeBSD.org using -f From: Brooks Davis Date: Tue, 13 Mar 2018 20:39:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r330880 - head/sys/dev/md X-SVN-Group: head X-SVN-Commit-Author: brooks X-SVN-Commit-Paths: head/sys/dev/md X-SVN-Commit-Revision: 330880 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 20:39:07 -0000 Author: brooks Date: Tue Mar 13 20:39:06 2018 New Revision: 330880 URL: https://svnweb.freebsd.org/changeset/base/330880 Log: Don't overflow the kernel struct mdio in the MDIOCLIST ioctl. Always terminate the list with -1 and document the ioctl behavior. This preserves existing behavior as seen from userspace with the addition of the unconditional termination which will not be seen by working consumers of MDIOCLIST. Because this ioctl can only be performed by root (in default configurations) and is not used in the base system this bug is not deemed to warrant either a security advisory or an eratta notice. Reviewed by: kib Obtained from: CheriBSD Discussed with: security-officer (gordon) MFC after: 3 days Security: kernel heap buffer overflow Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14685 Modified: head/sys/dev/md/md.c Modified: head/sys/dev/md/md.c ============================================================================== --- head/sys/dev/md/md.c Tue Mar 13 20:35:32 2018 (r330879) +++ head/sys/dev/md/md.c Tue Mar 13 20:39:06 2018 (r330880) @@ -1750,13 +1750,24 @@ err_after_new: strlen(sc->file) + 1); return (error); case MDIOCLIST: + /* + * Write the number of md devices to mdio->md_pad[0]. + * Write the unit number of the first (MDNPAD - 2) units + * to mdio->md_pad[1::(MDNPAD - 2)] and terminate the + * list with -1. + * + * XXX: There is currently no mechanism to retrieve unit + * numbers for more than (MDNPAD - 2) units. + * + * XXX: Due to the use of LIST_INSERT_HEAD in mdnew(), the + * list of visible unit numbers not stable. + */ i = 1; LIST_FOREACH(sc, &md_softc_list, list) { - if (i == MDNPAD - 1) - mdio->md_pad[i] = -1; - else + if (i < MDNPAD - 1) mdio->md_pad[i++] = sc->unit; } + mdio->md_pad[MIN(i, MDNPAD - 1)] = -1; mdio->md_pad[0] = i - 1; return (0); default: