From owner-svn-src-all@FreeBSD.ORG  Sat Aug  7 08:08:14 2010
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6682D1065679;
	Sat,  7 Aug 2010 08:08:14 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 55F798FC16;
	Sat,  7 Aug 2010 08:08:14 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o7788EHr079212;
	Sat, 7 Aug 2010 08:08:14 GMT (envelope-from rwatson@svn.freebsd.org)
Received: (from rwatson@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id o7788ElU079208;
	Sat, 7 Aug 2010 08:08:14 GMT (envelope-from rwatson@svn.freebsd.org)
Message-Id: <201008070808.o7788ElU079208@svn.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sat, 7 Aug 2010 08:08:14 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r210997 - head/sys/fs/coda
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Aug 2010 08:08:14 -0000

Author: rwatson
Date: Sat Aug  7 08:08:14 2010
New Revision: 210997
URL: http://svn.freebsd.org/changeset/base/210997

Log:
  Properly bounds check ioctl/pioctl data arguments for Coda:
  
  1. Use unsigned rather than signed lengths
  2. Bound messages to/from Venus to VC_MAXMSGSIZE
  3. Bound messages to/from general user processes to VC_MAXDATASIZE
  4. Update comment regarding data limits for pioctl
  
  Without (1) and (3), it may be possible for unprivileged user processes to
  read sensitive portions of kernel memory.  This issue is only present if
  the Coda kernel module is loaded and venus (the userspace Coda daemon) is
  running and has /coda mounted.
  
  As Coda is considered experimental and production use is warned against in
  the coda(4) man page, and because Coda must be explicitly configured for a
  configuration to be vulnerable, we won't be issuing a security advisory.
  However, if you are using Coda, then you are advised to apply these fixes.
  
  Reported by:	Dan J. Rosenberg <drosenberg at vsecurity.com>
  Obtained from:	NetBSD (Christos Zoulas)
  Security:	Kernel memory disclosure; no advisory as feature experimental
  MFC after:	3 days

Modified:
  head/sys/fs/coda/coda.h
  head/sys/fs/coda/coda_venus.c
  head/sys/fs/coda/coda_vnops.c

Modified: head/sys/fs/coda/coda.h
==============================================================================
--- head/sys/fs/coda/coda.h	Sat Aug  7 06:39:58 2010	(r210996)
+++ head/sys/fs/coda/coda.h	Sat Aug  7 08:08:14 2010	(r210997)
@@ -41,7 +41,9 @@
 #ifndef _CODA_HEADER_
 #define _CODA_HEADER_
 
+#ifdef _KERNEL
 #include "opt_coda.h"	/* for CODA_COMPAT_5 option */
+#endif
 
 /* Avoid CODA_COMPAT_5 redefinition in coda5 module */
 #if defined (CODA5_MODULE) && !defined(CODA_COMPAT_5)
@@ -782,8 +784,8 @@ union coda_downcalls {
 #define PIOCPARM_MASK 0x0000ffff
 struct ViceIoctl {
         caddr_t in, out;        /* Data to be transferred in, or out */
-        short in_size;          /* Size of input buffer <= 2K */
-        short out_size;         /* Maximum size of output buffer, <= 2K */
+        unsigned short in_size;	/* Size of input buffer <= 8K */
+        unsigned short out_size; /* Maximum size of output buffer, <= 8K */
 };
 
 #if defined(__CYGWIN32__) || defined(DJGPP)

Modified: head/sys/fs/coda/coda_venus.c
==============================================================================
--- head/sys/fs/coda/coda_venus.c	Sat Aug  7 06:39:58 2010	(r210996)
+++ head/sys/fs/coda/coda_venus.c	Sat Aug  7 08:08:14 2010	(r210997)
@@ -274,6 +274,12 @@ venus_ioctl(void *mdp, struct CodaFid *f
 	tmp = ((com >> 16) & IOCPARM_MASK) - sizeof (char *) - sizeof (int);
 	inp->cmd |= (tmp & IOCPARM_MASK) << 16;
 
+	if (iap->vi.in_size > VC_MAXMSGSIZE ||
+	    iap->vi.out_size > VC_MAXMSGSIZE) {
+		CODA_FREE(inp, coda_ioctl_size);
+		return (EINVAL);
+	}
+
 	inp->rwflag = flag;
 	inp->len = iap->vi.in_size;
 	inp->data = (char *)(sizeof (struct coda_ioctl_in));

Modified: head/sys/fs/coda/coda_vnops.c
==============================================================================
--- head/sys/fs/coda/coda_vnops.c	Sat Aug  7 06:39:58 2010	(r210996)
+++ head/sys/fs/coda/coda_vnops.c	Sat Aug  7 08:08:14 2010	(r210997)
@@ -471,7 +471,8 @@ coda_ioctl(struct vop_ioctl_args *ap)
 		    iap->path)););
 		return (EINVAL);
 	}
-	if (iap->vi.in_size > VC_MAXDATASIZE) {
+	if (iap->vi.in_size > VC_MAXDATASIZE ||
+	    iap->vi.out_size > VC_MAXDATASIZE) {
 		NDFREE(&ndp, 0);
 		return (EINVAL);
 	}