CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Ed Maste <emaste@FreeBSD.org>
	Tue, 5 Apr 2022 23:26:48 +0000 (23:26 +0000)
committer	Ed Maste <emaste@FreeBSD.org>
	Tue, 5 Apr 2022 23:26:48 +0000 (23:26 +0000)
commit	e724f3ce79707d1085fae666a678eab07c05af5a
tree	603f31623991eb6fa688399a56e1d631cea553dc	tree \| snapshot
parent	b85c68857da3fdd833c4c146e2f5f49f4c16b0d7	commit \| diff

mpr/mps/mpt: verify cfg page ioctl lengths

*_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
buffer of a caller-specified size, but copied to it a fixed size header.
Add checks that the size is at least the required minimum.

Note that the device nodes are owned by root:operator with 0640
permissions so the ioctls are not available to unprivileged users.

This change includes suggestions from scottl, markj and mav.

Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
Same issue found in mpr and mps after discussion with imp.

Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
Reviewed by: imp, mav
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34692

(cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087)
(cherry picked from commit 0b29e1b9f9df3bde6402cccc49cb850c0dcc35fb)

Approved by: so
Security: CVE-2022-23086
Security: FreeBSD-SA-22:06.ioctl

sys/dev/mpr/mpr_user.c		diff \| blob \| history
sys/dev/mps/mps_user.c		diff \| blob \| history
sys/dev/mpt/mpt_user.c		diff \| blob \| history