Page MenuHomeFreeBSD

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
ClosedPublic

Authored by markj on Jan 4 2021, 11:37 PM.
Tags
None
Referenced Files
F79496498: D27963.diff
Tue, Mar 19, 5:11 AM
Unknown Object (File)
Feb 10 2024, 10:57 PM
Unknown Object (File)
Dec 23 2023, 12:19 AM
Unknown Object (File)
Dec 12 2023, 6:26 AM
Unknown Object (File)
Oct 28 2023, 3:47 PM
Unknown Object (File)
Sep 6 2023, 4:53 AM
Unknown Object (File)
Sep 5 2023, 6:38 AM
Unknown Object (File)
Aug 31 2023, 2:50 AM
Subscribers

Details

Summary

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size. Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor. This is a bit heavy-handed
but I expect the overhead will not be noticeable. The approach of
coping the header in first is susceptible to TOCTOU problems.

Test Plan

I don't have any hardware driven by mpr or mps. Would anyone be willing
to test?

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 35931
Build 32820: arc lint + arc unit