Differential D27963

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
ClosedPublic
Actions

Authored by markj on Jan 4 2021, 11:37 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Mar 23, 7:42 AM

	Unknown Object (File)
	Sat, Mar 21, 2:14 PM

	Unknown Object (File)
	Thu, Mar 19, 7:44 AM

	Unknown Object (File)
	Wed, Mar 18, 11:50 PM

	Unknown Object (File)
	Thu, Mar 12, 12:37 PM

	Unknown Object (File)
	Feb 15 2026, 3:49 AM

	Unknown Object (File)
	Feb 13 2026, 6:59 AM

	Unknown Object (File)
	Feb 13 2026, 2:43 AM

Subscribers

Details

Reviewers

slm
ken
scottl
imp

Commits

rGed6fa9d618bf: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
rGde828a91db29: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl

Summary

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size. Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor. This is a bit heavy-handed
but I expect the overhead will not be noticeable. The approach of
coping the header in first is susceptible to TOCTOU problems.

Test Plan

I don't have any hardware driven by mpr or mps. Would anyone be willing
to test?

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Jan 4 2021, 11:37 PM

Herald added a reviewer: slm. · View Herald TranscriptJan 4 2021, 11:37 PM

Herald added a subscriber: imp. · View Herald Transcript

markj requested review of this revision.Jan 4 2021, 11:37 PM

Harbormaster completed remote builds in B35931: Diff 81652.Jan 4 2021, 11:37 PM

markj edited the test plan for this revision. (Show Details)Jan 4 2021, 11:40 PM

markj added reviewers: ken, scottl.

These look good to my eye.

This revision is now accepted and ready to land.Jan 4 2021, 11:49 PM

Closed by commit rGde828a91db29: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl (authored by markj). · Explain WhyJan 8 2021, 6:33 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rGde828a91db29: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl.

markj added a commit: rGed6fa9d618bf: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl.Jan 11 2021, 2:55 PM

Revision Contents
Changeset List

Path

Size

sys/

dev/

mpr/

30 lines

mps/

32 lines

Diff 81899

sys/dev/mpr/mpr_user.c

Loading...

sys/dev/mps/mps_user.c

Loading...