Page MenuHomeFreeBSD
Differential D27963

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
ClosedPublic
Actions

Authored by markj on Jan 4 2021, 11:37 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Jun 8, 10:09 AM
Unknown Object (File)
Thu, Jun 4, 7:56 PM
Unknown Object (File)
Sun, May 31, 5:33 AM
Unknown Object (File)
May 13 2026, 7:47 PM
Unknown Object (File)
May 1 2026, 3:05 AM
Unknown Object (File)
Apr 30 2026, 10:00 PM
Unknown Object (File)
Apr 30 2026, 8:10 PM
Unknown Object (File)
Apr 20 2026, 8:47 AM
View All Files
Subscribers
imp

Details

Reviewers
slm
ken
scottl
imp
Commits
rGed6fa9d618bf: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
rGde828a91db29: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
Summary

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size. Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor. This is a bit heavy-handed
but I expect the overhead will not be noticeable. The approach of
coping the header in first is susceptible to TOCTOU problems.

Test Plan

I don't have any hardware driven by mpr or mps. Would anyone be willing
to test?

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
dev/
mpr/
30 lines
mps/
32 lines

Diff 81899

View Options

sys/dev/mpr/mpr_user.c

Loading...
View Options

sys/dev/mps/mps_user.c

Loading...