opnsense-src

mirror of https://github.com/opnsense/src.git synced 2026-02-19 02:30:08 -05:00

History

Ed Maste 1289cbfc18 mpr/mps/mpt: verify cfg page ioctl lengths *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 (cherry picked from commit `8276c4149b`) (cherry picked from commit `0b29e1b9f9`) Approved by: so Security: CVE-2022-23086 Security: FreeBSD-SA-22:06.ioctl		2022-04-06 08:05:11 +02:00
..
mpilib
mpt.c	Make MAXPHYS tunable. Bump MAXPHYS to 1M.	2020-11-28 12:12:51 +00:00
mpt.h	Make MAXPHYS tunable. Bump MAXPHYS to 1M.	2020-11-28 12:12:51 +00:00
mpt_cam.c	mpt(4): Remove incorrect S/G segments limits.	2021-04-23 20:43:14 -04:00
mpt_cam.h
mpt_debug.c
mpt_pci.c
mpt_raid.c	Mark some sysctls as CTLFLAG_MPSAFE.	2021-08-24 21:53:18 -04:00
mpt_raid.h
mpt_reg.h
mpt_user.c	mpr/mps/mpt: verify cfg page ioctl lengths	2022-04-06 08:05:11 +02:00