Page MenuHomeFreeBSD
Differential D27963

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
ClosedPublic
Actions

Authored by markj on Jan 4 2021, 11:37 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Oct 14, 1:20 AM
Unknown Object (File)
Sun, Oct 12, 11:08 AM
Unknown Object (File)
Sat, Oct 4, 1:06 PM
Unknown Object (File)
Sep 15 2025, 1:48 AM
Unknown Object (File)
Sep 13 2025, 5:13 PM
Unknown Object (File)
Sep 7 2025, 6:21 PM
Unknown Object (File)
Sep 5 2025, 3:25 PM
Unknown Object (File)
Aug 25 2025, 7:40 AM
View All 87 Files
Subscribers
imp

Details

Reviewers
slm
ken
scottl
imp
Commits
rGed6fa9d618bf: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
rGde828a91db29: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
Summary

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size. Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor. This is a bit heavy-handed
but I expect the overhead will not be noticeable. The approach of
coping the header in first is susceptible to TOCTOU problems.

Test Plan

I don't have any hardware driven by mpr or mps. Would anyone be willing
to test?

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
dev/
mpr/
30 lines
mps/
32 lines

Diff 81899

View Options

sys/dev/mpr/mpr_user.c

Loading...
View Options

sys/dev/mps/mps_user.c

Loading...