HomeFreeBSD
Diffusion FreeBSD src repository ed6fa9d618bf

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
ed6fa9d618bf
Actions

Description

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size. Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor. This is a bit heavy-handed
but I expect the overhead will not be noticeable. The approach of
coping the header in first is susceptible to TOCTOU problems.

Reviewed by: imp
Reported by: maxpl0it@protonmail.com
Differential Revision: https://reviews.freebsd.org/D27963

(cherry picked from commit de828a91db29fb20440e0d92f3d3136b314a9584)

Details

Provenance
markjAuthored on Jan 8 2021, 6:32 PM
Reviewer
imp
Differential Revision
D27963: mpr, mps: Fix a stack buffer overflow in the user passthru ioctl
Parents
rGee01a1e7d862: mpr, mps: Fix an off-by-one bug in the BTDH_MAPPING ioctl
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
dev/
mpr/
mps/

rGed6fa9d618bf

View Options

sys/dev/mpr/mpr_user.c

Loading...
View Options

sys/dev/mps/mps_user.c

Loading...