git: 758927a982db - main - oce(4): Don't directly access usespace

Thu, 15 Jun 2023 09:35:43 -0700 

The branch main has been updated by brooks:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=758927a982db0ae3ebb02c05aec8a53bcc0c20cb

commit 758927a982db0ae3ebb02c05aec8a53bcc0c20cb
Author:     Brooks Davis <[email protected]>
AuthorDate: 2023-06-14 17:55:41 +0000
Commit:     Brooks Davis <[email protected]>
CommitDate: 2023-06-15 16:34:54 +0000

    oce(4): Don't directly access usespace
    
    Replace direct stores to userspace addresses (never safe and broken on
    modern CPUs) with a copyout.  Use a static assert on the size to ensure
    we don't overflow the field.
    
    Reviewed by:    markj, jhb
    Sponsored by:   DARPA
    Differential Revision:  https://reviews.freebsd.org/D40519
---
 sys/dev/oce/oce_if.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/sys/dev/oce/oce_if.c b/sys/dev/oce/oce_if.c
index 5d250fcac0bd..bde7bf9b208a 100644
--- a/sys/dev/oce/oce_if.c
+++ b/sys/dev/oce/oce_if.c
@@ -2246,7 +2246,6 @@ oce_handle_passthrough(if_t ifp, caddr_t data)
        uint32_t req_size;
        struct mbx_hdr req;
        OCE_DMA_MEM dma_mem;
-       struct mbx_common_get_cntl_attr *fw_cmd;
 
        if (copyin(priv_data, cookie, strlen(IOCTL_COOKIE)))
                return EFAULT;
@@ -2278,17 +2277,25 @@ oce_handle_passthrough(if_t ifp, caddr_t data)
                goto dma_free;
        }
 
-       if (copyout(OCE_DMAPTR(&dma_mem,char), ioctl_ptr, req_size))
+       if (copyout(OCE_DMAPTR(&dma_mem,char), ioctl_ptr, req_size)) {
                rc =  EFAULT;
+               goto dma_free;
+       }
 
        /* 
           firmware is filling all the attributes for this ioctl except
           the driver version..so fill it 
         */
        if(req.u0.rsp.opcode == OPCODE_COMMON_GET_CNTL_ATTRIBUTES) {
-               fw_cmd = (struct mbx_common_get_cntl_attr *) ioctl_ptr;
-               strncpy(fw_cmd->params.rsp.cntl_attr_info.hba_attr.drv_ver_str,
-                       COMPONENT_REVISION, strlen(COMPONENT_REVISION));        
+               struct mbx_common_get_cntl_attr *fw_cmd =
+                   (struct mbx_common_get_cntl_attr *)ioctl_ptr;
+               _Static_assert(sizeof(COMPONENT_REVISION) <=
+                    
sizeof(fw_cmd->params.rsp.cntl_attr_info.hba_attr.drv_ver_str),
+                    "driver version string too long");
+
+               rc = copyout(COMPONENT_REVISION,
+                   fw_cmd->params.rsp.cntl_attr_info.hba_attr.drv_ver_str,
+                   sizeof(COMPONENT_REVISION));
        }
 
 dma_free:

Reply via email to