From nobody Mon May 20 14:18:47 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VjfnM5Ql4z5LM8q; Mon, 20 May 2024 14:18:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VjfnM3B8pz4Wm2; Mon, 20 May 2024 14:18:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716214727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/0JYeWCjSXQCLgGEzIxvIWjpzuhvJxUyVgqayv+lANY=; b=jzcCHjwA1l3jfbYxDKt+5C4wvxR+9Rzk1Jwe2ax4uv99UjEpYjWtlHKYYxNNjdhG1qiKZu t9Stt3xDGolAwXeri5RzwS726/PlVSeB3ZBc9Fuzlu9tTKRuMBJUzL2f2M7nwVDb8x+luH rq96D5pF7y1sECG5bXiVUI8I5kijardzeycdcTfLQtQ4soUCxBlaLoxlK8BknN5s+IlnA3 xmZyhdZjV8Ol+nTkccZm1Mv0otbqJm2726vVb7yQ0Qr7Ow3xXpJcxW29upsGuqFq0lSLK3 KjZFBG7zlEOb9TbBWKlHNB9rCfo2El8rNLC88wWQnEzQgnGRvQ2u9JCKqZtCUA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716214727; a=rsa-sha256; cv=none; b=U841UP4Ybt+w+3Mb+LKW7eKEngaCK3acWT/LTeMy4t023AqtlSrpVcp7x1oYQh9l2NNI/U gmxGnEevFEZASJD7jrstRFJ2unPrWkK0EB/tce3o2pEPvCnS6qXoYqilXSCl1SbtE1R5+k Hm7cDbnMBdKOR/niDejeR/Akn623ws5ZHUQrUWDLgkbIFvat8ruuyuV7TFjFQsKkLxv49A MNCZxed5n2J2JMnoyF12VBF/tfgHPdbyaJB9IP/GIs5sBcl0j58p9WzNwvN+fNWo+ptX7A WyB6zl1/k9tBF425Ipo3aYbVAWjwoBmKU6p1OpKbDylk8qvPJ189H6mAqqwoTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716214727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/0JYeWCjSXQCLgGEzIxvIWjpzuhvJxUyVgqayv+lANY=; b=UpXRPUOMJnaq0/GK6/fC366OpJD4kCDybjrZWEZQuY+caveyyW2q+7WrBol8k4YVXEbUK2 5HOpOcZc7fwVjY47My4HmnVVPSM7ukPOc318Wl0sYF5jherQN4VOdxvLrux99N16YfUNaE Wdg9EMNrppbmqzH0S3qtd6j5WW6vmuVZU1XS3gYkGhKJ8C1a5eCA5b64Z7+3VB8CUjH+hb 3IlvE2DPljmVrwnD5oNfFIro0BNQYoG4HfqE0yJwltVIB96cEHKBigU3FI2GZZSLBuJqRB osrBGBR5JKNWOZIDUeFGv+JWDcwXHSbiRXHN58sIoiYNOxPCjZ8eqM1nQGqqfw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VjfnM2nQ8zh5M; Mon, 20 May 2024 14:18:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44KEIloP014999; Mon, 20 May 2024 14:18:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44KEIlfO014996; Mon, 20 May 2024 14:18:47 GMT (envelope-from git) Date: Mon, 20 May 2024 14:18:47 GMT Message-Id: <202405201418.44KEIlfO014996@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Christos Margiolis Subject: git: 074d337ad618 - main - sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS* List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: christos X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 074d337ad618f9cc2a1d5ab18b484928e57bd72b Auto-Submitted: auto-generated The branch main has been updated by christos: URL: https://cgit.FreeBSD.org/src/commit/?id=074d337ad618f9cc2a1d5ab18b484928e57bd72b commit 074d337ad618f9cc2a1d5ab18b484928e57bd72b Author: Christos Margiolis AuthorDate: 2024-05-20 14:18:28 +0000 Commit: Christos Margiolis CommitDate: 2024-05-20 14:18:28 +0000 sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS* SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes, however we currently do not check whether this size is actually valid, which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an invalid size. sndstat_add_user_devs() calls sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size. PR: 266142 Sponsored by: The FreeBSD Foundation MFC after: 1 day Reviewed by: brooks Differential Revision: https://reviews.freebsd.org/D45236 --- sys/dev/sound/pcm/sndstat.c | 5 +++++ sys/sys/sndstat.h | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/sys/dev/sound/pcm/sndstat.c b/sys/dev/sound/pcm/sndstat.c index edb33e92ade9..f310d8f3bff3 100644 --- a/sys/dev/sound/pcm/sndstat.c +++ b/sys/dev/sound/pcm/sndstat.c @@ -864,6 +864,11 @@ sndstat_add_user_devs(struct sndstat_file *pf, caddr_t data) goto done; } + if (arg->nbytes > SNDST_UNVLBUF_MAX) { + err = ENOMEM; + goto done; + } + err = sndstat_unpack_user_nvlbuf(arg->buf, arg->nbytes, &nvl); if (err != 0) goto done; diff --git a/sys/sys/sndstat.h b/sys/sys/sndstat.h index f0e4d352242f..8a49042b0453 100644 --- a/sys/sys/sndstat.h +++ b/sys/sys/sndstat.h @@ -74,6 +74,11 @@ struct sndstioc_nv_arg { #define SNDST_DSPS_SOUND4_PVCHAN "pvchan" #define SNDST_DSPS_SOUND4_RVCHAN "rvchan" +/* + * Maximum user-specified nvlist buffer size + */ +#define SNDST_UNVLBUF_MAX 65535 + #define SNDSTIOC_REFRESH_DEVS \ _IO('D', 100) #define SNDSTIOC_GET_DEVS \