From nobody Wed Apr 06 14:20:12 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BC9D21A91F10;
	Wed,  6 Apr 2022 14:20:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KYRVh3k19z3M8H;
	Wed,  6 Apr 2022 14:20:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1649254812;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ykdajUg6PTfNGS0l7Gva7kkxkQFPQXVFnJSDMDNLg/I=;
	b=ithDmSfb6OIaJ6snurSrlg3xvqgT22OaxQXF9JgiOK08AAXrQ4WfYwTQOurVg6ETahM2C7
	CQoZf1oSifS84TytUSANMRy1vcOyiyijCPKnhluk6cGNC6i/0xnEN61B6L2SXPq/rJcxUl
	OrH/oIFC21kGJfpEMFiLcqV08OyrdfYx+VCyJDpKojwtMHNQZNpBpsi/zjwlWRXBbE7WOe
	g2pw6JoBkpaGbB/w6zO4g8fRa6tJWi1pAY77U5Q3dApujDFLEoBEJ1ITV6IwVfIk8b/ZiF
	N7DGismfK3h++4YdiC0BoA3JHVXWQApC9HwObR1QBMftk4yMd1NHaehfR09s6g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5F31C1CB0A;
	Wed,  6 Apr 2022 14:20:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 236EKCBk043562;
	Wed, 6 Apr 2022 14:20:12 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 236EKChb043558;
	Wed, 6 Apr 2022 14:20:12 GMT
	(envelope-from git)
Date: Wed, 6 Apr 2022 14:20:12 GMT
Message-Id: <202204061420.236EKChb043558@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: b2bdfad93ba8 - stable/11 - mpr/mps/mpt: verify cfg page ioctl lengths
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/11
X-Git-Reftype: branch
X-Git-Commit: b2bdfad93ba8567c40a01728a35d732e3206716d
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1649254812;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ykdajUg6PTfNGS0l7Gva7kkxkQFPQXVFnJSDMDNLg/I=;
	b=yvOYXjdW96Evbgd9igAsqo/LcPl72jsHA1SigcRUGSvXErcCdOcoLH/IVxspgJQiXhIB1d
	I6GEnLDBmlSVvGD5I36fRMlYqD8AHbBpJkVuukESSgqOkT2tU/IpkZzCTF124tLshhHWvH
	egOhXsQAX1kx5ISRrhusvmRcfmGMlZ0Fz4JX2T6aKYO4SRgh1QxUm2gAwM78p+2W29EM+K
	jW1oqMVQUBVydRgnUCdjYnJDnd+imD+xYlxuEEL0HY4XtYghIWTo2fx6D8G9id0h5wtZgr
	T9ZxzLn9kL8CKvmuN92ssg/XTtFRojoqdcM5URPiMUH8mHT2AhleBmmtjuZSEw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649254812; a=rsa-sha256; cv=none;
	b=rOkJXDjooEjSk1iOhwXF28pew7j2QM+WZgZJwG+zq7vHdnY8Zh95UZKYh+SRAGVytM9Wu0
	5uCysjYjoUe/tkLQ1vQXs2B3rcACo/lrM8OwGjxgL/HMIecj/7L7QDlSE/8FPyai7JZL2I
	h4AbTT9nUnyL6jjTarVBIACH/+uulsHncSB2Im+zHaTQMKBAFaEAd6tcGQC6zv+A9gRVME
	bmkocj/Y8HFx68mDVZD4oZaiFhjLRAVR1znj497S8cA/TFBu1dHMTVFTqHozUriaGwc+ix
	04kuna56FYwDiNoVIRxJlXuJHgW9OR0lsxvKLnhUc1dDp5zw1DDTl5NSwRnNAw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/11 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=b2bdfad93ba8567c40a01728a35d732e3206716d

commit b2bdfad93ba8567c40a01728a35d732e3206716d
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-03-28 13:33:54 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-06 14:19:28 +0000

    mpr/mps/mpt: verify cfg page ioctl lengths
    
    *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
    buffer of a caller-specified size, but copied to it a fixed size header.
    Add checks that the size is at least the required minimum.
    
    Note that the device nodes are owned by root:operator with 0640
    permissions so the ioctls are not available to unprivileged users.
    
    This change includes suggestions from scottl, markj and mav.
    
    Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
    Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
    Same issue found in mpr and mps after discussion with imp.
    
    Reported by:    Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
    Reviewed by:    imp, mav
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D34692
    
    (cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087)
---
 sys/dev/mpr/mpr_user.c | 13 +++++++++++++
 sys/dev/mps/mps_user.c | 13 +++++++++++++
 sys/dev/mpt/mpt_user.c | 13 +++++++++++++
 3 files changed, 39 insertions(+)

diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c
index 1921b9697898..6e6f1a3faeff 100644
--- a/sys/dev/mpr/mpr_user.c
+++ b/sys/dev/mpr/mpr_user.c
@@ -2174,6 +2174,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mpr_unlock(sc);
 		break;
 	case MPRIO_READ_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK | M_ZERO);
 		error = copyin(page_req->buf, mpr_page,
 		    sizeof(MPI2_CONFIG_PAGE_HEADER));
@@ -2192,6 +2196,11 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mpr_unlock(sc);
 		break;
 	case MPRIO_READ_EXT_CFG_PAGE:
+		if (ext_page_req->len <
+		    (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mpr_page = malloc(ext_page_req->len, M_MPRUSER,
 		    M_WAITOK | M_ZERO);
 		error = copyin(ext_page_req->buf, mpr_page,
@@ -2206,6 +2215,10 @@ mpr_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		error = copyout(mpr_page, ext_page_req->buf, ext_page_req->len);
 		break;
 	case MPRIO_WRITE_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mpr_page = malloc(page_req->len, M_MPRUSER, M_WAITOK|M_ZERO);
 		error = copyin(page_req->buf, mpr_page, page_req->len);
 		if (error)
diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c
index 1abe3c535642..ed77a53eb5a4 100644
--- a/sys/dev/mps/mps_user.c
+++ b/sys/dev/mps/mps_user.c
@@ -2079,6 +2079,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mps_unlock(sc);
 		break;
 	case MPSIO_READ_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK | M_ZERO);
 		error = copyin(page_req->buf, mps_page,
 		    sizeof(MPI2_CONFIG_PAGE_HEADER));
@@ -2097,6 +2101,11 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		mps_unlock(sc);
 		break;
 	case MPSIO_READ_EXT_CFG_PAGE:
+		if (ext_page_req->len <
+		    (int)sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mps_page = malloc(ext_page_req->len, M_MPSUSER, M_WAITOK|M_ZERO);
 		error = copyin(ext_page_req->buf, mps_page,
 		    sizeof(MPI2_CONFIG_EXTENDED_PAGE_HEADER));
@@ -2110,6 +2119,10 @@ mps_ioctl(struct cdev *dev, u_long cmd, void *arg, int flag,
 		error = copyout(mps_page, ext_page_req->buf, ext_page_req->len);
 		break;
 	case MPSIO_WRITE_CFG_PAGE:
+		if (page_req->len < (int)sizeof(MPI2_CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		mps_page = malloc(page_req->len, M_MPSUSER, M_WAITOK|M_ZERO);
 		error = copyin(page_req->buf, mps_page, page_req->len);
 		if (error)
diff --git a/sys/dev/mpt/mpt_user.c b/sys/dev/mpt/mpt_user.c
index 8710b6908a89..94da1815322b 100644
--- a/sys/dev/mpt/mpt_user.c
+++ b/sys/dev/mpt/mpt_user.c
@@ -670,6 +670,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td
 	case MPTIO_READ_CFG_PAGE32:
 #endif
 	case MPTIO_READ_CFG_PAGE:
+		if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len);
 		if (error)
 			break;
@@ -696,6 +700,11 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td
 	case MPTIO_READ_EXT_CFG_PAGE32:
 #endif
 	case MPTIO_READ_EXT_CFG_PAGE:
+		if (ext_page_req->len <
+		    (int)sizeof(CONFIG_EXTENDED_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		error = mpt_alloc_buffer(mpt, &mpt_page, ext_page_req->len);
 		if (error)
 			break;
@@ -715,6 +724,10 @@ mpt_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td
 	case MPTIO_WRITE_CFG_PAGE32:
 #endif
 	case MPTIO_WRITE_CFG_PAGE:
+		if (page_req->len < (int)sizeof(CONFIG_PAGE_HEADER)) {
+			error = EINVAL;
+			break;
+		}
 		error = mpt_alloc_buffer(mpt, &mpt_page, page_req->len);
 		if (error)
 			break;