From nobody Mon Apr 04 00:46:25 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DED761A4CAF8;
	Mon,  4 Apr 2022 00:46:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KWsXd5vZkz4mwC;
	Mon,  4 Apr 2022 00:46:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1649033185;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X+2vRMFvJfbhd1GWzB5oHiRjUP0piD6xUajhs4LYx2g=;
	b=Vrj4zBQf/3X++C6ifIttbUy47QmoAi1J7Q8e2a6mab7x65mUXOtaPbtTigGZ3rz+yDDxju
	K1lniipoj1cvmCspGzXQmRGi9zwasOqJQubcAosbYHPgitBvm1IocQP8YVj0uaaZnBVDH8
	2/JVbNnjOnClO7PwdgoMs1BfC3qnAoXr1MmejTsa1FBhmY5sYosvlyauCHpEorZh6HE8Fk
	S0d7oC7kl6l5nRednoxiT/bZyVz90318LupQHSELa0Folur36EHoHQe1wf3T6XmWfOJnLG
	n0QgDi3jKlsTAc4z/Uvy7gD2vHJxh16OHOU6TxUBBDo/Np4Yty+pucEayJCtKA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AA5CE27CF3;
	Mon,  4 Apr 2022 00:46:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2340kP5T049956;
	Mon, 4 Apr 2022 00:46:25 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2340kP2w049955;
	Mon, 4 Apr 2022 00:46:25 GMT
	(envelope-from git)
Date: Mon, 4 Apr 2022 00:46:25 GMT
Message-Id: <202204040046.2340kP2w049955@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 0b29e1b9f9df - stable/13 - mpr/mps/mpt: verify cfg page ioctl lengths
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1649033185;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X+2vRMFvJfbhd1GWzB5oHiRjUP0piD6xUajhs4LYx2g=;
	b=exl0mfKLRR4gQpq5fySK0A8cG2GxDhn6XkiMdyMNxxYL9tV8LW+EGTFraoLI2YlBedFEme
	zThuvSltQlR90aRGt6XF4alMbEktJLGmu7GJ3yji+x5Evjd0mmXMfUxlKi9DK0Pn9fpXmy
	BW/FuAIfE0iSqk8FW3x7O+BeaCsQcQ1Mf7u/8ccUzDZwob6T0Ff/n6t+j5OnNw9tCKyY5+
	3rzHMiVVKkPYjAguBC17G4085LKQJW/J3HVwhiszQq+gGf6ZJgfqbD6ATXZAKenlaje8Vz
	asKaHQKgLdu1H2HbylecnKFkfSxH9naY6tG3TRlP1Oc1oxqvOdOVaSwK54F6EA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649033185; a=rsa-sha256; cv=none;
	b=NkRuYCEyM7XjOrN/PJPG56+7W+cXWc5TM/kJvpgNklk8qBmuMBdWqwZ+nEmK023r4qEA42
	+/FlX3RwBx9PmXBoBqs1cl0VFenIicDB2JyjsZVUMwFRcxFtW6sp0M/V2CanwaA4xJp3JF
	hQ+T2MnqTjKUslRpg6a/mrG0X0Ci78W6c8+QJoEukt7cFyTF8d7O8I6OIKRXwiDU5T8qbh
	Nin79TaG0R8vmfPIJsDT5rGj6ZC1I1GFS+woe3HEolWuV90MvoKPg7X2BL49jxlKl/hZhX
	WBdloz2n0DRUKkdJn622b68BtTr9buSr/bLs0AX2FDKIubc3SbDLJUFaESFbjQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb

commit 0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-03-28 13:33:54 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-04 00:45:41 +0000

    mpr/mps/mpt: verify cfg page ioctl lengths
    
    *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
    buffer of a caller-specified size, but copied to it a fixed size header.
    Add checks that the size is at least the required minimum.
    
    Note that the device nodes are owned by root:operator with 0640
    permissions so the ioctls are not available to unprivileged users.
    
    This change includes suggestions from scottl, markj and mav.
    
    Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
    Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
    Same issue found in mpr and mps after discussion with imp.
    
    Reported by:    Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
    Reviewed by:    imp, mav
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D34692
    
    (cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087)
---
 sys/dev/mpr/mpr_user.c | 13 +++++++++++++
 sys/dev/mps/mps_user.c | 13 +++++++++++++
 sys/dev/mpt/mpt_user.c | 13 +++++++++++++
 3 files changed, 39 insertions(+)

diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c
index cab865e2e535..08c2b8b39244 100644
--- a/sys/dev/mpr/mpr_user.c
+++ b/sys/dev/mpr/mpr_user.c
@@ -2266,6 +2266,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mpr_unlock(sc);
 		break;
 	case MPRIO_READ_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK | M_ZERO);
 		error = copyin(page_req->buf, mpr_page,
 		    sizeof(MPI2_CONFIG_PAGE_HEADER));
@@ -2284,6 +2288,11 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mpr_unlock(sc);
 		break;
 	case MPRIO_READ_EXT_CFG_PAGE:
+		if (ext_page_req->len <
+		    (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mpr_page = malloc(ext_page_req->len, M_MPRUSER,
 		    M_WAITOK | M_ZERO);
 		error = copyin(ext_page_req->buf, mpr_page,
@@ -2298,6 +2307,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		error = copyout(mpr_page, ext_page_req->buf, ext_page_req->len);
 		break;
 	case MPRIO_WRITE_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK|M_ZERO);
 		error = copyin(page_req->buf, mpr_page, page_req->len);
 		if (error)
diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c
index 9d4aab54562f..a16201cde131 100644
--- a/sys/dev/mps/mps_user.c
+++ b/sys/dev/mps/mps_user.c
@@ -2168,6 +2168,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mps_unlock(sc);
 		break;
 	case MPSIO_READ_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK | M_ZERO);
 		error = copyin(page_req->buf, mps_page,
 		    sizeof(MPI2_CONFIG_PAGE_HEADER));
@@ -2186,6 +2190,11 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mps_unlock(sc);
 		break;
 	case MPSIO_READ_EXT_CFG_PAGE:
+		if (ext_page_req->len <
+		    (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mps_page = malloc(ext_page_req->len, M_MPSUSER, M_WAITOK|M_ZERO);
 		error = copyin(ext_page_req->buf, mps_page,
 		    sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER));
@@ -2199,6 +2208,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		error = copyout(mps_page, ext_page_req->buf, ext_page_req->len);
 		break;
 	case MPSIO_WRITE_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK|M_ZERO);
 		error = copyin(page_req->buf, mps_page, page_req->len);
 		if (error)
diff --git a/sys/dev/mpt/mpt_user.c b/sys/dev/mpt/mpt_user.c
index cf339387c10e..10d5bac15d49 100644
--- a/sys/dev/mpt/mpt_user.c
+++ b/sys/dev/mpt/mpt_user.c
@@ -672,6 +672,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td
 	case MPTIO_READ_CFG_PAGE32:
 #endif
 	case MPTIO_READ_CFG_PAGE:
+		if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len);
 		if (error)
 			break;
@@ -698,6 +702,11 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td
 	case MPTIO_READ_EXT_CFG_PAGE32:
 #endif
 	case MPTIO_READ_EXT_CFG_PAGE:
+		if (ext_page_req->len <
+		    (int)sizeof(CONFIG_EXTENDED_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		error = mpt_alloc_buffer(mpt, &mpt_page, ext_page_req->len);
 		if (error)
 			break;
@@ -717,6 +726,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td
 	case MPTIO_WRITE_CFG_PAGE32:
 #endif
 	case MPTIO_WRITE_CFG_PAGE:
+		if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len);
 		if (error)
 			break;