Page MenuHomeFreeBSD

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
ClosedPublic

Authored by markj on Jan 4 2021, 11:37 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Oct 14, 1:20 AM
Unknown Object (File)
Sun, Oct 12, 11:08 AM
Unknown Object (File)
Sat, Oct 4, 1:06 PM
Unknown Object (File)
Sep 15 2025, 1:48 AM
Unknown Object (File)
Sep 13 2025, 5:13 PM
Unknown Object (File)
Sep 7 2025, 6:21 PM
Unknown Object (File)
Sep 5 2025, 3:25 PM
Unknown Object (File)
Aug 25 2025, 7:40 AM
Subscribers

Details

Summary

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size. Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor. This is a bit heavy-handed
but I expect the overhead will not be noticeable. The approach of
coping the header in first is susceptible to TOCTOU problems.

Test Plan

I don't have any hardware driven by mpr or mps. Would anyone be willing
to test?

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable