CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Mark Johnston <markj@FreeBSD.org>
	Wed, 3 Nov 2021 19:09:17 +0000 (15:09 -0400)
committer	Mark Johnston <markj@FreeBSD.org>
	Wed, 3 Nov 2021 19:09:17 +0000 (15:09 -0400)
commit	6afabf00920fb8d41b8f013090f282c17c117efc
tree	931415d4fcef4db63ff520b8a20a8121160790f1	tree \| snapshot
parent	3358df2973251b4de690f197640eca5d794e0194	commit \| diff

scsi_cd: Improve TOC access validation

1. During CD probing, we read the TOC header to find the number of
   entries, then read the TOC itself.  The header determines the number
   of entries, which determines the amount of data to read from the
   device into the softc in the CD_STATE_MEDIA_TOC_FULL state.  We
   hard-code a limit of 99 tracks (plus one for the lead-out) in the
   softc, but were not validating that the size reported by the media
   would fit in this hard-coded limit.  Kernel memory corruption could
   occur if not.[1]  Add validation to check this, and refuse to cache
   the TOC if it would not fit.

2. The CDIOCPLAYTRACKS ioctl uses caller provided track numbers to index
   into the TOC, but we only validate the starting index.  Add
   validation of the ending index.

Also, raise the hard-coded limit from 100 tracks to 170, per a
suggestion from Ken.

Reported by: C Turt <ecturt@gmail.com> [1]
Reviewed by: ken, avg
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32803