HomeFreeBSD
Diffusion FreeBSD src repository de828a91db29

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
de828a91db29
Actions

Description

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size. Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor. This is a bit heavy-handed
but I expect the overhead will not be noticeable. The approach of
coping the header in first is susceptible to TOCTOU problems.

Reviewed by: imp
Reported by: maxpl0it@protonmail.com
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D27963

Details

Provenance
markjAuthored on Jan 8 2021, 6:32 PM
Reviewer
imp
Differential Revision
D27963: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
Parents
rG092cf8d63f9f: safexcel: Fix a race around unblocking of crypto ops
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
dev/
mpr/
mps/

rGde828a91db29

View Options

sys/dev/mpr/mpr_user.c

Loading...
View Options

sys/dev/mps/mps_user.c

Loading...