HBSD MFC r330880: Don't overflow the kernel struct mdio in the MDIOCL…

…IST ioctl. Always terminate the list with -1 and document the ioctl behavior. This preserves existing behavior as seen from userspace with the addition of the unconditional termination which will not be seen by working consumers of MDIOCLIST. Because this ioctl can only be performed by root (in default configurations) and is not used in the base system this bug is not deemed to warrant either a security advisory or an eratta notice. Reviewed by: kib Obtained from: CheriBSD Discussed with: security-officer (gordon) MFC after: 3 days Security: kernel heap buffer overflow Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14685 (cherry picked from commit 83fa13c) Author: brooks <brooks@FreeBSD.org> Original-commit-date: Tue Mar 13 20:39:06 2018 +0000 svn-commit-id: /head/ r330880 Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
HardenedBSD · Mar 28, 2018 · 880d7e9 · 880d7e9
1 parent 3fe8def
commit 880d7e9
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/sys/dev/md/md.c b/sys/dev/md/md.c
@@ -1718,13 +1718,24 @@ xmdctlioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread
 			    strlen(sc->file) + 1);
 		return (error);
 	case MDIOCLIST:
+		/*
+		 * Write the number of md devices to mdio->md_pad[0].
+		 * Write the unit number of the first (MDNPAD - 2) units
+		 * to mdio->md_pad[1::(MDNPAD - 2)] and terminate the
+		 * list with -1.
+		 *
+		 * XXX: There is currently no mechanism to retrieve unit
+		 * numbers for more than (MDNPAD - 2) units.
+		 *
+		 * XXX: Due to the use of LIST_INSERT_HEAD in mdnew(), the
+		 * list of visible unit numbers not stable.
+		 */
 		i = 1;
 		LIST_FOREACH(sc, &md_softc_list, list) {
-			if (i == MDNPAD - 1)
-				mdio->md_pad[i] = -1;
-			else
+			if (i < MDNPAD - 1)
 				mdio->md_pad[i++] = sc->unit;
 		}
+		mdio->md_pad[MIN(i, MDNPAD - 1)] = -1;
 		mdio->md_pad[0] = i - 1;
 		return (0);
 	default: