src/sys/dev, branch releng/13.0 FreeBSD source tree mpr/mps/mpt: verify cfg page ioctl lengths 2022-04-05T23:26:48+00:00 Ed Maste emaste@FreeBSD.org 2022-04-05T23:26:48+00:00 e724f3ce79707d1085fae666a678eab07c05af5a *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 (cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087) (cherry picked from commit 0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb) Approved by: so Security: CVE-2022-23086 Security: FreeBSD-SA-22:06.ioctl 
*_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
buffer of a caller-specified size, but copied to it a fixed size header.
Add checks that the size is at least the required minimum.

Note that the device nodes are owned by root:operator with 0640
permissions so the ioctls are not available to unprivileged users.

This change includes suggestions from scottl, markj and mav.

Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
Same issue found in mpr and mps after discussion with imp.

Reported by:	Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
Reviewed by:	imp, mav
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34692

(cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087)
(cherry picked from commit 0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb)

Approved by:	so
Security:	CVE-2022-23086
Security:	FreeBSD-SA-22:06.ioctl
netmap: Fix TOCTOU vulnerability in nmreq_copyin 2022-04-05T23:26:02+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2022-04-05T23:26:02+00:00 4996f46e03a442765c56b562c04c6e3ceae0104c The total size of the user-provided nmreq was first computed and then trusted during the copyin. This might lead to kernel memory corruption and escape from jails/containers. Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23084 MFC after: 3 days (cherry picked from commit 393729916564ed13f966e09129a24e6931898d12) (cherry picked from commit 9f600a260a738d87015b2e9722b7b4f228cbd47d) Approved by: so Security: FreeBSD-SA-22:04.netmap 
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.

Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
Security: CVE-2022-23084
MFC after:	3 days

(cherry picked from commit 393729916564ed13f966e09129a24e6931898d12)
(cherry picked from commit 9f600a260a738d87015b2e9722b7b4f228cbd47d)

Approved by:	so
Security:	FreeBSD-SA-22:04.netmap
netmap: Fix integer overflow in nmreq_copyin 2022-04-05T23:26:02+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2022-04-05T23:26:02+00:00 00ca345e83ada8b68e302f5406f9799209872c90 An unsanitized field in an option could be abused, causing an integer overflow followed by kernel memory corruption. This might be used to escape jails/containers. Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23085 (cherry picked from commit 694ea59c7021c25417e6d516362d2f59b4e2c343) (cherry picked from commit 9df8dd3ea36c8b3abe8fc182647472ca9cd83efd) Approved by: so Security: FreeBSD-SA-22:04.netmap 
An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.

Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro
Zero Day Initiative
Security: CVE-2022-23085

(cherry picked from commit 694ea59c7021c25417e6d516362d2f59b4e2c343)
(cherry picked from commit 9df8dd3ea36c8b3abe8fc182647472ca9cd83efd)

Approved by:	so
Security:	FreeBSD-SA-22:04.netmap
vt: bound buffer access in redraw optimization 2022-01-10T14:51:54+00:00 Ed Maste emaste@FreeBSD.org 2021-09-22T18:41:00+00:00 3e0a1e12416996b63949de2b11ca74a0e0d70bd5 PR: 248628 Reported by: oleg Reviewed by: cem, oleg (both earlier) Fixes: ee97b2336aa4 ("Speed up vt(4) by keeping...") MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32059 (cherry picked from commit dbc7ca59451561a179f9852642e13ef024169d84) (cherry picked from commit e4fcff8ee124f8faed2f1fcc1e15b7ae6906d4d7) Approved by: so Security: FreeBSD-SA-22:01.vt 
PR:		248628
Reported by:	oleg
Reviewed by:	cem, oleg (both earlier)
Fixes:		ee97b2336aa4 ("Speed up vt(4) by keeping...")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32059

(cherry picked from commit dbc7ca59451561a179f9852642e13ef024169d84)
(cherry picked from commit e4fcff8ee124f8faed2f1fcc1e15b7ae6906d4d7)

Approved by:	so
Security:	FreeBSD-SA-22:01.vt
Hyper-V: vPCI: Prepopulate device bars 2022-01-10T14:51:54+00:00 Wei Hu whu@FreeBSD.org 2021-11-27T06:42:34+00:00 dfca965af4e11523467f168f36dd0236260e5080 In recent Hyper-V releases on Windows Server 2022, vPCI code does not initialize the last 4 bit of device bar registers. This behavior change could result weird problems cuasing PCI code failure when configuring bars. Just write all 1's to those bars whose probed values are not the same as current read ones. This seems to make Hyper-V vPCI and pci_write_bar() to cooperate correctly on these releases. Reported by: khng@freebsd.org Tested by: khng@freebsd.org MFC after: 2 weeks Sponsored by: Microsoft (cherry picked from commit 75412a521f60d4b0393c730ffb284e7c6ff9d2de) (cherry picked from commit d11e9de955ea01fe01dce58c7eb090fe0352bced) Approved by: so Errata: FreeBSD-EN-22:03.hyperv 
In recent Hyper-V releases on Windows Server 2022, vPCI code does not
initialize the last 4 bit of device bar registers. This behavior change
could result weird problems cuasing PCI code failure when configuring
bars.

Just write all 1's to those bars whose probed values are not the same
as current read ones. This seems to make Hyper-V vPCI and
pci_write_bar() to cooperate correctly on these releases.

Reported by:	khng@freebsd.org
Tested by:	khng@freebsd.org
MFC after:	2 weeks
Sponsored by:	Microsoft

(cherry picked from commit 75412a521f60d4b0393c730ffb284e7c6ff9d2de)
(cherry picked from commit d11e9de955ea01fe01dce58c7eb090fe0352bced)

Approved by:	so
Errata:		FreeBSD-EN-22:03.hyperv
Fix kernel panic in vmci driver initialization. 2021-11-03T20:40:19+00:00 Gordon Tetlow gordon@FreeBSD.org 2021-11-03T20:40:19+00:00 847819dca14d55994540013439eadd0d6f48eb97 Approved by: so Security: EN-21:28.vmci 
Approved by:	so
Security:	EN-21:28.vmci
Fix virtio_blk(4) failing to attach on some hypervisors. 2021-08-24T16:36:55+00:00 Gordon Tetlow gordon@FreeBSD.org 2021-08-24T16:31:52+00:00 f66e34809906a3222446e1407bd9add84dd6f10c Approved by: so Security: EN-21:23.virtio_blk 
Approved by:	so
Security:	EN-21:23.virtio_blk
virtio_pci_legacy: Allow memory space for configuration 2021-05-26T20:32:40+00:00 Ka Ho Ng khng@FreeBSD.org 2021-03-20T07:40:55+00:00 61acb3179a90a93ecb2fe9230986069712f918df For guests running under some kind of VMMs, configuration structure is available in memory space but not I/O space. Approved by: so Security: EN-21:15.virtio Reported by: Yuan Rui <number201724@me.com> Reviewed by: rpokala, bryanv, jhb Approved by: philip (mentor) Differential Revision: https://reviews.freebsd.org/D28818 (cherry picked from commit cf5d1112408ddef3fdff8212599727c49ba90fa4) (cherry picked from commit 2e107638eac2a721bc024314ae79d4688edfc130) 
For guests running under some kind of VMMs, configuration structure is
available in memory space but not I/O space.

Approved by:	so
Security:	EN-21:15.virtio
Reported by:	Yuan Rui <number201724@me.com>
Reviewed by:	rpokala, bryanv, jhb
Approved by:	philip (mentor)
Differential Revision:	https://reviews.freebsd.org/D28818

(cherry picked from commit cf5d1112408ddef3fdff8212599727c49ba90fa4)
(cherry picked from commit 2e107638eac2a721bc024314ae79d4688edfc130)
virtio_pci_legacy: Use the table BAR and PBA BAR from MSI-X cap 2021-05-26T20:32:40+00:00 Ka Ho Ng khng@FreeBSD.org 2021-03-20T07:40:52+00:00 6fe25201ea624180130c08590e0566fc9e238570 The MSI-X resource shouldn't be assumed to be always on BAR1. The Virtio v1.1 Spec did not specify that MSI-X table and PBA BAR has to be BAR1 either. Approved by: so Security: EN-21:15.virtio Reported by: Yuan Rui <number201724@me.com> Reviewed by: bryanv, jhb Approved by: philip (mentor) Differential Revision: https://reviews.freebsd.org/D28817 (cherry picked from commit faf9a4e9142a02c289ee543a6091bd4b925c6a63) (cherry picked from commit 98740ead97c60caca1d7cb3e996108c75f499beb) 
The MSI-X resource shouldn't be assumed to be always on BAR1.
The Virtio v1.1 Spec did not specify that MSI-X table and PBA BAR has to
be BAR1 either.

Approved by:	so
Security:	EN-21:15.virtio
Reported by:	Yuan Rui <number201724@me.com>
Reviewed by:	bryanv, jhb
Approved by:	philip (mentor)
Differential Revision:	https://reviews.freebsd.org/D28817

(cherry picked from commit faf9a4e9142a02c289ee543a6091bd4b925c6a63)
(cherry picked from commit 98740ead97c60caca1d7cb3e996108c75f499beb)
pms(4): Limit maximum I/O size to 256KB instead of 1MB. 2021-05-26T19:30:23+00:00 Alexander Motin mav@FreeBSD.org 2021-04-16T19:39:01+00:00 b62d492067ba38b93200e77bca69e89a9e887eb4 There is a weird limit of AGTIAPI_MAX_DMA_SEGS (128) S/G segments per I/O since the initial driver import. I don't know why it was added, can only guess some hardware limitation, but in worst case it means maximum I/O size of 508KB. Respect it to be safe, rounding to 256KB. Approved by: so Security: EN-21:14.pms MFC after: 1 week Sponsored by: iXsystems, Inc. (cherry picked from commit 3e347834200b5d91a33384e696793e4ac20a44d4) (cherry picked from commit 6514cb18d94e9ab46406b7077d207c8b1a551e6e) 
There is a weird limit of AGTIAPI_MAX_DMA_SEGS (128) S/G segments per
I/O since the initial driver import.  I don't know why it was added,
can only guess some hardware limitation, but in worst case it means
maximum I/O size of 508KB.  Respect it to be safe, rounding to 256KB.

Approved by:	so
Security:	EN-21:14.pms
MFC after:	1 week
Sponsored by:	iXsystems, Inc.

(cherry picked from commit 3e347834200b5d91a33384e696793e4ac20a44d4)
(cherry picked from commit 6514cb18d94e9ab46406b7077d207c8b1a551e6e)