sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*
ClosedPublic
Actions

Authored by christos on Fri, May 17, 9:33 PM.

Details

Reviewers

markj
emaste
dev_submerge.ch
imp
brooks

Commits

rG18f80d6d4634: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*
rG5830a00c2c54: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*
rG074d337ad618: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

Summary

SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes,
however we currently do not check whether this size is actually valid,
which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an
invalid size. sndstat_add_user_devs() calls
sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size.

PR: 266142
Sponsored by: The FreeBSD Foundation
MFC after: 3 days

Test Plan

Test program (stolen from the PR):

#include <sys/sndstat.h>

#include <err.h>
#include <fcntl.h>
#include <string.h>

int
main(int argc, char *argv[])
{
        char buf[128];
        int fd;

        if ((fd = open("/dev/sndstat", O_RDWR)) < 0)
                err(1, "open()");
        memset(buf, 0xff, sizeof(buf));
        if (ioctl(fd, SNDSTIOC_ADD_USER_DEVS, buf) < 0)
                err(1, "ioctl(SNDSTIOC_ADD_USER_DEVS)");

        return (0);
}

Without the patch we get the following panics:

With memset(0xff):

panic: Assertion size > 0 failed at /mnt/src/sys/kern/subr_vmem.c:1330
cpuid = 0
time = 1715986423
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046dd5110
kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046dd5270
vpanic() at vpanic+0x210/frame 0xfffffe0046dd5410
panic() at panic+0xb5/frame 0xfffffe0046dd54d0
vmem_alloc() at vmem_alloc+0x137/frame 0xfffffe0046dd5510
kmem_malloc_domainset() at kmem_malloc_domainset+0x19f/frame 0xfffffe0046dd5650
malloc_large() at malloc_large+0x35/frame 0xfffffe0046dd5690
sndstat_ioctl() at sndstat_ioctl+0x233/frame 0xfffffe0046dd5790
devfs_ioctl() at devfs_ioctl+0x1f6/frame 0xfffffe0046dd5870
vn_ioctl() at vn_ioctl+0x235/frame 0xfffffe0046dd5a80
devfs_ioctl_f() at devfs_ioctl_f+0x6c/frame 0xfffffe0046dd5ad0
kern_ioctl() at kern_ioctl+0x3a1/frame 0xfffffe0046dd5bb0
sys_ioctl() at sys_ioctl+0x247/frame 0xfffffe0046dd5d10
amd64_syscall() at amd64_syscall+0x39e/frame 0xfffffe0046dd5f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0046dd5f30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x8211d68fa, rsp = 0x820b52bd8, rbp = 0x820b52c40 ---
KDB: enter: panic
[ thread pid 908 tid 100143 ]
Stopped at      kdb_enter+0x34: movq    $0,0x1f09d01(%rip)

Without the memset():

panic: pmap_san_enter_alloc_4k: no memory to grow shadow map
cpuid = 0
time = 1715986510
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046db8930
kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046db8a90
vpanic() at vpanic+0x210/frame 0xfffffe0046db8c30
panic() at panic+0xb5/frame 0xfffffe0046db8cf0
pmap_san_enter_alloc_4k() at pmap_san_enter_alloc_4k+0x2f/frame 0xfffffe0046db8d00
pmap_san_enter() at pmap_san_enter+0x228/frame 0xfffffe0046db8d40
kasan_shadow_map() at kasan_shadow_map+0x98/frame 0xfffffe0046db8d60
pmap_growkernel() at pmap_growkernel+0x9d/frame 0xfffffe0046db8db0
vm_map_insert1() at vm_map_insert1+0x460/frame 0xfffffe0046db8ef0
vm_map_find() at vm_map_find+0x877/frame 0xfffffe0046db9050
kva_import() at kva_import+0xb5/frame 0xfffffe0046db9130
vmem_try_fetch() at vmem_try_fetch+0x1d0/frame 0xfffffe0046db9220
vmem_xalloc() at vmem_xalloc+0x6f8/frame 0xfffffe0046db92d0
kva_import_domain() at kva_import_domain+0x35/frame 0xfffffe0046db9310
vmem_try_fetch() at vmem_try_fetch+0x1d0/frame 0xfffffe0046db9400
vmem_xalloc() at vmem_xalloc+0x6f8/frame 0xfffffe0046db94b0
vmem_alloc() at vmem_alloc+0x97/frame 0xfffffe0046db9510
kmem_malloc_domainset() at kmem_malloc_domainset+0x19f/frame 0xfffffe0046db9650
malloc_large() at malloc_large+0x35/frame 0xfffffe0046db9690
sndstat_ioctl() at sndstat_ioctl+0x233/frame 0xfffffe0046db9790
devfs_ioctl() at devfs_ioctl+0x1f6/frame 0xfffffe0046db9870
vn_ioctl() at vn_ioctl+0x235/frame 0xfffffe0046db9a80
devfs_ioctl_f() at devfs_ioctl_f+0x6c/frame 0xfffffe0046db9ad0
kern_ioctl() at kern_ioctl+0x3a1/frame 0xfffffe0046db9bb0
sys_ioctl() at sys_ioctl+0x247/frame 0xfffffe0046db9d10
amd64_syscall() at amd64_syscall+0x39e/frame 0xfffffe0046db9f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0046db9f30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x8218ef8fa, rsp = 0x820490998, rbp = 0x820490a40 ---
KDB: enter: panic
[ thread pid 909 tid 100146 ]
Stopped at      kdb_enter+0x34: movq    $0,0x1f09d01(%rip)

Applying the patch makes both panics go away.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

christos created this revision.Fri, May 17, 9:33 PM

Herald added a subscriber: imp. · View Herald TranscriptFri, May 17, 9:33 PM

christos requested review of this revision.Fri, May 17, 9:33 PM

Harbormaster completed remote builds in B57744: Diff 138702.Fri, May 17, 9:33 PM

christos edited the test plan for this revision. (Show Details)Fri, May 17, 9:36 PM

christos added inline comments.

sys/dev/sound/pcm/sndstat.c
971	Maybe we could return `ERANGE` instead?

christos added a reviewer: imp.Fri, May 17, 9:38 PM

You need to decide the type of data based on the command passed before you examine it so you'll need a case statement before the tests. I'd also tend not to assign the arg/arg32 until you've decided the type. Additionally, data will be NULL for at least SNDSTIOC_REFRESH_DEVS and SNDSTIOC_FLUSH_USER_DEVS,

In D45236#1031986, @brooks wrote:

You need to decide the type of data based on the command passed before you examine it so you'll need a case statement before the tests. I'd also tend not to assign the arg/arg32 until you've decided the type. Additionally, data will be NULL for at least SNDSTIOC_REFRESH_DEVS and SNDSTIOC_FLUSH_USER_DEVS,

Good catch, thank you. Will update the diff shortly. :)

Address brooks' comment.

Harbormaster completed remote builds in B57746: Diff 138705.Fri, May 17, 10:48 PM

christos added a reviewer: brooks.Fri, May 17, 10:51 PM

More comments.

sys/dev/sound/pcm/sndstat.c
971	Does it actually make sense to check the GET case? If the programmer wants to allocate too much space that's their problem.
974	`sizeof(size_t) * 8 - 1` seem both relatively small, oddly aligned, and magic. Usually we just care that we're not making a giant kernel allocation so can let things be big as long as they aren't too big. Also, a size_t (or uint32_t below) can't be negative.

christos marked an inline comment as done.Fri, May 17, 11:21 PM

christos added inline comments.

sys/dev/sound/pcm/sndstat.c
974	What do you think a good max value would be? As for the < 0 case, the test program actually makes `nbytes` be -1 for some reason: sndstat_add_user_devs(): nbytes=-1

christos retitled this revision from sound: Check user-supplied size passed to sndstat_ioctl() to sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*.Sun, May 19, 6:56 PM

christos edited the summary of this revision. (Show Details)