Fix bugs in plugable CC algorithm and siftr sysctls.
ClosedPublic
Actions

Authored by brooks on Dec 6 2018, 12:25 AM.

Details

Reviewers

lstewart
kib
emaste
markj
bz

Group Reviewers

secteam
transport

Commits

rS342189: Partial MFC of r342125:
rS342188: MFC r342125:
rS342125: Fix bugs in plugable CC algorithm and siftr sysctls.

Summary

Use the sysctl_handle_int() handler to write out the old value and read
the new value into a temporary variable. Use the temporary variable
for any checks of values rather than using the CAST_PTR_INT() macro on
req->newptr. The prior usage read directly from userspace memory if the
sysctl() was called correctly. This is unsafe and doesn't work at all on
some architectures (at least i386.)

In some cases, the code could also be tricked into reading from kernel
memory and leaking limited information about the contents or crashing
the system. This was true for CDG, newreno, and siftr on all platforms
and true for i386 in all cases. The impact of this bug is largest in
VIMAGE jails which have been configured to allow writing to these
sysctls.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

brooks created this revision.Dec 6 2018, 12:25 AM

Harbormaster completed remote builds in B21382: Diff 51631.Dec 6 2018, 12:28 AM

brooks marked an inline comment as done.Dec 6 2018, 12:37 AM

brooks added inline comments.

sys/netinet/cc/cc_chd.c
423 ↗	(On Diff #51631)	I really don't know what the right thing to do here is. This code only allows 0. The old code actually allowed 0 and values greater than INT_MAX because it cast to int rather than u_int...

markj added inline comments.Dec 6 2018, 12:50 AM

sys/netinet/cc/cc_chd.c
423 ↗	(On Diff #51631)	It looks like the intent is to only permit 0 and 1? Why do you say that it only allows 0?

brooks added a child revision: D18444: const poison the `new` pointer of __sysctl..Dec 6 2018, 12:57 AM

brooks marked an inline comment as done.Dec 6 2018, 4:25 AM

brooks added inline comments.

sys/netinet/cc/cc_chd.c
423 ↗	(On Diff #51631)	You're right, for some reason I was parsing as >=1. The previous code failed to do anything sane, but this is ok.

markj added inline comments.Dec 6 2018, 4:27 AM

sys/netinet/cc/cc_chd.c
423 ↗	(On Diff #51631)	I think you could just use SYSCTL_BOOL and avoid the custom handler.

Remove comment resulting from mis-reading code.

Harbormaster completed remote builds in B21396: Diff 51658.Dec 6 2018, 4:14 PM

brooks added a reviewer: transport.Dec 6 2018, 4:18 PM

brooks marked 3 inline comments as done.

brooks added inline comments.

sys/netinet/cc/cc_chd.c
423 ↗	(On Diff #51631)	That's an API change for programmatic callers, but I suspect that's ok.
441 ↗	(On Diff #51631)	I do wonder if there are enough of these to warrant a SYSCTL_UINT_RANGE or the like.

brooks edited the summary of this revision. (Show Details)Dec 6 2018, 4:20 PM

markj accepted this revision.Dec 6 2018, 4:29 PM

markj added inline comments.

sys/netinet/cc/cc_cdg.c
362 ↗	(On Diff #51658)	In other handlers we read the constant directly, which I find a bit clearer.
sys/netinet/cc/cc_newreno.c
373 ↗	(On Diff #51658)	Coverity will probably complain about testing whether an unsigned quantity is <= 0.
sys/netinet/cc/cc_vegas.c
261 ↗	(On Diff #51658)	`new == 0 \|\| ...` for consistency?