From 231b46e180f099251d428ecc0bb49fcca02b7312 Mon Sep 17 00:00:00 2001 From: mav Date: Thu, 6 Sep 2018 14:03:10 +0000 Subject: [PATCH] Add missing copyin() to access LUN and port ioctl arguments. Somehow this was working even after PTI in, at least on amd64, and got broken by something only very recently. Reviewed by: araujo Approved by: re (gjb) --- sys/cam/ctl/ctl.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 94bc97bc033d..2606327d3851 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -2943,8 +2943,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, } if (lun_req->args != NULL) { - lun_req->args_nvl = nvlist_unpack(lun_req->args, + packed = malloc(lun_req->args_len, M_CTL, M_WAITOK); + if (copyin(lun_req->args, packed, lun_req->args_len) != 0) { + free(packed, M_CTL); + lun_req->status = CTL_LUN_ERROR; + snprintf(lun_req->error_str, sizeof(lun_req->error_str), + "Cannot copyin args."); + break; + } + lun_req->args_nvl = nvlist_unpack(packed, lun_req->args_len, 0); + free(packed, M_CTL); if (lun_req->args_nvl == NULL) { lun_req->status = CTL_LUN_ERROR; @@ -3211,8 +3220,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, } if (req->args != NULL) { - req->args_nvl = nvlist_unpack(req->args, + packed = malloc(req->args_len, M_CTL, M_WAITOK); + if (copyin(req->args, packed, req->args_len) != 0) { + free(packed, M_CTL); + req->status = CTL_LUN_ERROR; + snprintf(req->error_str, sizeof(req->error_str), + "Cannot copyin args."); + break; + } + req->args_nvl = nvlist_unpack(packed, req->args_len, 0); + free(packed, M_CTL); if (req->args_nvl == NULL) { req->status = CTL_LUN_ERROR;