svn commit: r330880 - head/sys/dev/md

[Brooks Davis]

Author: brooks
Date: Tue Mar 13 20:39:06 2018
New Revision: 330880
URL: https://svnweb.freebsd.org/changeset/base/330880

Log:
  Don't overflow the kernel struct mdio in the MDIOCLIST ioctl.
  
  Always terminate the list with -1 and document the ioctl behavior.
  This preserves existing behavior as seen from userspace with the
  addition of the unconditional termination which will not be seen by
  working consumers of MDIOCLIST.
  
  Because this ioctl can only be performed by root (in default
  configurations) and is not used in the base system this bug is not
  deemed to warrant either a security advisory or an eratta notice.
  
  Reviewed by:	kib
  Obtained from:	CheriBSD
  Discussed with:	security-officer (gordon)
  MFC after:	3 days
  Security:	kernel heap buffer overflow
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D14685

Modified:
  head/sys/dev/md/md.c

Modified: head/sys/dev/md/md.c
==============================================================================
--- head/sys/dev/md/md.c	Tue Mar 13 20:35:32 2018	(r330879)
+++ head/sys/dev/md/md.c	Tue Mar 13 20:39:06 2018	(r330880)
@@ -1750,13 +1750,24 @@ err_after_new:
 			    strlen(sc->file) + 1);
 		return (error);
 	case MDIOCLIST:
+		/*
+		 * Write the number of md devices to mdio->md_pad[0].
+		 * Write the unit number of the first (MDNPAD - 2) units
+		 * to mdio->md_pad[1::(MDNPAD - 2)] and terminate the
+		 * list with -1.
+		 *
+		 * XXX: There is currently no mechanism to retrieve unit
+		 * numbers for more than (MDNPAD - 2) units.
+		 *
+		 * XXX: Due to the use of LIST_INSERT_HEAD in mdnew(), the
+		 * list of visible unit numbers not stable.
+		 */
 		i = 1;
 		LIST_FOREACH(sc, &md_softc_list, list) {
-			if (i == MDNPAD - 1)
-				mdio->md_pad[i] = -1;
-			else
+			if (i < MDNPAD - 1)
 				mdio->md_pad[i++] = sc->unit;
 		}
+		mdio->md_pad[MIN(i, MDNPAD - 1)] = -1;
 		mdio->md_pad[0] = i - 1;
 		return (0);
 	default: