Author: mav
Date: Thu Sep 6 14:03:10 2018
New Revision: 338494
URL: https://svnweb.freebsd.org/changeset/base/338494
Log:
Add missing copyin() to access LUN and port ioctl arguments.
Somehow this was working even after PTI in, at least on amd64, and got
broken by something only very recently.
Reviewed by: araujo
Approved by: re (gjb)
Modified:
head/sys/cam/ctl/ctl.c
Modified: head/sys/cam/ctl/ctl.c
==============================================================================
--- head/sys/cam/ctl/ctl.c Thu Sep 6 12:41:09 2018 (r338493)
+++ head/sys/cam/ctl/ctl.c Thu Sep 6 14:03:10 2018 (r338494)
@@ -2943,8 +2943,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr,
}
if (lun_req->args != NULL) {
- lun_req->args_nvl = nvlist_unpack(lun_req->args,
+ packed = malloc(lun_req->args_len, M_CTL, M_WAITOK);
+ if (copyin(lun_req->args, packed, lun_req->args_len) !=
0) {
+ free(packed, M_CTL);
+ lun_req->status = CTL_LUN_ERROR;
+ snprintf(lun_req->error_str,
sizeof(lun_req->error_str),
+ "Cannot copyin args.");
+ break;
+ }
+ lun_req->args_nvl = nvlist_unpack(packed,
lun_req->args_len, 0);
+ free(packed, M_CTL);
if (lun_req->args_nvl == NULL) {
lun_req->status = CTL_LUN_ERROR;
@@ -3211,8 +3220,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr,
}
if (req->args != NULL) {
- req->args_nvl = nvlist_unpack(req->args,
+ packed = malloc(req->args_len, M_CTL, M_WAITOK);
+ if (copyin(req->args, packed, req->args_len) != 0) {
+ free(packed, M_CTL);
+ req->status = CTL_LUN_ERROR;
+ snprintf(req->error_str, sizeof(req->error_str),
+ "Cannot copyin args.");
+ break;
+ }
+ req->args_nvl = nvlist_unpack(packed,
req->args_len, 0);
+ free(packed, M_CTL);
if (req->args_nvl == NULL) {
req->status = CTL_LUN_ERROR;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
