K 10
svn:author
V 7
git2svn
K 8
svn:date
V 27
2021-01-11T14:54:48.547421Z
K 7
svn:log
V 790
mpr, mps: Fix a stack buffer overflow in the user passthru ioctl

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size.  Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor.  This is a bit heavy-handed
but I expect the overhead will not be noticeable.  The approach of
coping the header in first is susceptible to TOCTOU problems.

Reviewed by:	imp
Reported by:	maxpl0it@protonmail.com
Differential Revision:	https://reviews.freebsd.org/D27963

(cherry picked from commit de828a91db29fb20440e0d92f3d3136b314a9584)

Git Hash:   ed6fa9d618bff47dcd3fb000e5805e29d331578d
Git Author: markj@FreeBSD.org
END