From 72aad3f9028af12e6c56a3a461b46a153abd7b24 Mon Sep 17 00:00:00 2001
From: Alan Somers <asomers@FreeBSD.org>
Date: Wed, 1 Mar 2023 11:53:46 -0700
Subject: Fix kernel memory disclosures in mpr and mps

In every mpr and mps ioctl that copies kernel data to userland, validate
that the requested length does not exceed the size of the kernel's
buffer.

Note that all of these ioctls already required root access.

MFC after:	2 weeks
Sponsored by:	Axcient
Reviewed by:	imp
Differential Revision: https://reviews.freebsd.org/D38842
---
 sys/dev/mpr/mpr_user.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'sys/dev/mpr')

diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c
index d04aaa24ea0b..5b5c11dd4a65 100644
--- a/sys/dev/mpr/mpr_user.c
+++ b/sys/dev/mpr/mpr_user.c
@@ -863,7 +863,7 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data)
 			}
 			mpr_unlock(sc);
 			copyout(cm->cm_reply, PTRIN(data->PtrReply),
-			    data->ReplySize);
+			    MIN(sz, data->ReplySize));
 			mpr_lock(sc);
 		}
 		mprsas_free_tm(sc, cm);
@@ -1087,7 +1087,8 @@ mpr_user_pass_thru(struct mpr_softc *sc, mpr_pass_thru_t *data)
 			    data->ReplySize, sz);
 		}
 		mpr_unlock(sc);
-		copyout(cm->cm_reply, PTRIN(data->PtrReply), data->ReplySize);
+		copyout(cm->cm_reply, PTRIN(data->PtrReply),
+		    MIN(sz, data->ReplySize));
 		mpr_lock(sc);
 
 		if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) ||
@@ -2065,7 +2066,7 @@ mpr_user_event_report(struct mpr_softc *sc, mpr_event_report_t *data)
 	if ((size >= sizeof(sc->recorded_events)) && (status == 0)) {
 		mpr_unlock(sc);
 		if (copyout((void *)sc->recorded_events,
-		    PTRIN(data->PtrEvents), size) != 0)
+		    PTRIN(data->PtrEvents), sizeof(sc->recorded_events)) != 0)
 			status = EFAULT;
 		mpr_lock(sc);
 	} else {
-- 
cgit v1.3