git: 1a798187e554 - stable/13 - Fix kernel memory disclosures in mpr and mps

From: Alan Somers <asomers_at_FreeBSD.org>
Date: Wed, 22 Mar 2023 19:28:11 UTC
The branch stable/13 has been updated by asomers:

URL: https://cgit.FreeBSD.org/src/commit/?id=1a798187e5546c817a3bab845d73520d4a88a185

commit 1a798187e5546c817a3bab845d73520d4a88a185
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-03-01 18:53:46 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-03-22 16:52:42 +0000

    Fix kernel memory disclosures in mpr and mps
    
    In every mpr and mps ioctl that copies kernel data to userland, validate
    that the requested length does not exceed the size of the kernel's
    buffer.
    
    Note that all of these ioctls already required root access.
    
    Sponsored by:   Axcient
    Reviewed by:    imp
    Differential Revision: https://reviews.freebsd.org/D38842
    
    (cherry picked from commit 72aad3f9028af12e6c56a3a461b46a153abd7b24)
---
 sys/dev/mpr/mpr_user.c | 7 ++++---
 sys/dev/mps/mps_user.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c
index d04aaa24ea0b..5b5c11dd4a65 100644
--- a/sys/dev/mpr/mpr_user.c
+++ b/sys/dev/mpr/mpr_user.c
@@ -863,7 +863,7 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data)
 			}
 			mpr_unlock(sc);
 			copyout(cm->cm_reply, PTRIN(data->PtrReply),
-			    data->ReplySize);
+			    MIN(sz, data->ReplySize));
 			mpr_lock(sc);
 		}
 		mprsas_free_tm(sc, cm);
@@ -1087,7 +1087,8 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data)
 			    data->ReplySize, sz);
 		}
 		mpr_unlock(sc);
-		copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize);
+		copyout(cm->cm_reply, PTRIN(data->PtrReply),
+		    MIN(sz, data->ReplySize));
 		mpr_lock(sc);
 
 		if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) ||
@@ -2065,7 +2066,7 @@ mpr_user_event_report(struct mpr_softc *sc, mpr_event_report_t *data)
 	if ((size >= sizeof(sc->recorded_events)) && (status == 0)) {
 		mpr_unlock(sc);
 		if (copyout((void *)sc->recorded_events,
-		    PTRIN(data->PtrEvents), size) != 0)
+		    PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0)
 			status = EFAULT;
 		mpr_lock(sc);
 	} else {
diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c
index a16201cde131..3b8f79802808 100644
--- a/sys/dev/mps/mps_user.c
+++ b/sys/dev/mps/mps_user.c
@@ -874,7 +874,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data)
 			}
 			mps_unlock(sc);
 			copyout(cm->cm_reply, PTRIN(data->PtrReply),
-			    data->ReplySize);
+			    MIN(sz, data->ReplySize));
 			mps_lock(sc);
 		}
 		mpssas_free_tm(sc, cm);
@@ -1027,7 +1027,8 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data)
 			    data->ReplySize, sz);
 		}
 		mps_unlock(sc);
-		copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize);
+		copyout(cm->cm_reply, PTRIN(data->PtrReply),
+		    MIN(sz, data->ReplySize));
 		mps_lock(sc);
 
 		if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) ||
@@ -1967,7 +1968,7 @@ mps_user_event_report(struct mps_softc *sc, mps_event_report_t *data)
 	if ((size >= sizeof(sc->recorded_events)) && (status == 0)) {
 		mps_unlock(sc);
 		if (copyout((void *)sc->recorded_events,
-		    PTRIN(data->PtrEvents), size) != 0)
+		    PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0)
 			status = EFAULT;
 		mps_lock(sc);
 	} else {