CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Mark Johnston <markj@FreeBSD.org>
	Wed, 3 Nov 2021 19:09:17 +0000 (15:09 -0400)
committer	Mark Johnston <markj@FreeBSD.org>
	Wed, 10 Nov 2021 14:57:14 +0000 (09:57 -0500)
commit	f552d2c115a9d334b6e6ff2d0fb0993e4023a3cc
tree	e10f52b68206b6de565367fa8b1678b2fa9dda1a	tree \| snapshot
parent	aab2bfc1274f4eebefac44f86cc7ee79bf5121a8	commit \| diff

scsi_cd: Improve TOC access validation

1. During CD probing, we read the TOC header to find the number of
   entries, then read the TOC itself.  The header determines the number
   of entries, which determines the amount of data to read from the
   device into the softc in the CD_STATE_MEDIA_TOC_FULL state.  We
   hard-code a limit of 99 tracks (plus one for the lead-out) in the
   softc, but were not validating that the size reported by the media
   would fit in this hard-coded limit.  Kernel memory corruption could
   occur if not.[1]  Add validation to check this, and refuse to cache
   the TOC if it would not fit.

2. The CDIOCPLAYTRACKS ioctl uses caller provided track numbers to index
   into the TOC, but we only validate the starting index.  Add
   validation of the ending index.

Also, raise the hard-coded limit from 100 tracks to 170, per a
suggestion from Ken.

Approved by: re (gjb)
Reported by: C Turt <ecturt@gmail.com> [1]
Reviewed by: ken, avg
Sponsored by: The FreeBSD Foundation

(cherry picked from commit 6afabf00920fb8d41b8f013090f282c17c117efc)
(cherry picked from commit f607b686f9a96745e337a8d045f0f51b599a245e)