diff options
| author | Alan Somers <asomers@FreeBSD.org> | 2023-03-01 18:53:46 +0000 |
|---|---|---|
| committer | Alan Somers <asomers@FreeBSD.org> | 2023-03-02 20:31:06 +0000 |
| commit | 72aad3f9028af12e6c56a3a461b46a153abd7b24 (patch) | |
| tree | 5bb9765df3055db84feb1b81b960997747187d5c | |
| parent | 0fed8288c3fd75a57e3fd4649cded9eac07a6758 (diff) | |
| download | src-72aad3f9028af12e6c56a3a461b46a153abd7b24.tar.gz src-72aad3f9028af12e6c56a3a461b46a153abd7b24.zip | |
Fix kernel memory disclosures in mpr and mps
In every mpr and mps ioctl that copies kernel data to userland, validate
that the requested length does not exceed the size of the kernel's
buffer.
Note that all of these ioctls already required root access.
MFC after: 2 weeks
Sponsored by: Axcient
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D38842
| -rw-r--r-- | sys/dev/mpr/mpr_user.c | 7 | ||||
| -rw-r--r-- | sys/dev/mps/mps_user.c | 7 |
2 files changed, 8 insertions, 6 deletions
diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c index d04aaa24ea0b..5b5c11dd4a65 100644 --- a/sys/dev/mpr/mpr_user.c +++ b/sys/dev/mpr/mpr_user.c @@ -863,7 +863,7 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) } mpr_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mpr_lock(sc); } mprsas_free_tm(sc, cm); @@ -1087,7 +1087,8 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data) data->ReplySize, sz); } mpr_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mpr_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -2065,7 +2066,7 @@ mpr_user_event_report(struct mpr_softc *sc, mpr_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mpr_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mpr_lock(sc); } else { diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index cdab4d4cd841..9d6aeedafdea 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -862,7 +862,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) } mps_unlock(sc); copyout(cm->cm_reply, PTRIN(data->PtrReply), - data->ReplySize); + MIN(sz, data->ReplySize)); mps_lock(sc); } mpssas_free_tm(sc, cm); @@ -1015,7 +1015,8 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) data->ReplySize, sz); } mps_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize); + copyout(cm->cm_reply, PTRIN(data->PtrReply), + MIN(sz, data->ReplySize)); mps_lock(sc); if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || @@ -1955,7 +1956,7 @@ mps_user_event_report(struct mps_softc *sc, mps_event_report_t *data) if ((size >= sizeof(sc->recorded_events)) && (status == 0)) { mps_unlock(sc); if (copyout((void *)sc->recorded_events, - PTRIN(data->PtrEvents), size) != 0) + PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0) status = EFAULT; mps_lock(sc); } else { |