CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Ed Maste <emaste@FreeBSD.org>
	Tue, 5 Apr 2022 23:21:30 +0000 (23:21 +0000)
committer	Ed Maste <emaste@FreeBSD.org>
	Tue, 5 Apr 2022 23:29:20 +0000 (23:29 +0000)
commit	c4c1d79338a30d6dcc0fa0cf6d65f1f0bc7a101c
tree	eb97740a61c87926d42dd9bb20f55948f4acc7a9	tree \| snapshot
parent	9c55c1cf567c598b0bbb2e996d09ca0b44ba88f5	commit \| diff

mpr/mps/mpt: verify cfg page ioctl lengths

*_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
buffer of a caller-specified size, but copied to it a fixed size header.
Add checks that the size is at least the required minimum.

Note that the device nodes are owned by root:operator with 0640
permissions so the ioctls are not available to unprivileged users.

This change includes suggestions from scottl, markj and mav.

Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
Same issue found in mpr and mps after discussion with imp.

Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
Reviewed by: imp, mav
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34692

(cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087)
(cherry picked from commit 56d0638c738e3f9b7fbc7f78bd49590523e01ada)

Approved by: so
Security: CVE-2022-23086
Security: FreeBSD-SA-22:06.ioctl

sys/dev/mpr/mpr_user.c		diff \| blob \| history
sys/dev/mps/mps_user.c		diff \| blob \| history
sys/dev/mpt/mpt_user.c		diff \| blob \| history