Page MenuHomeFreeBSD

compat32: Fix a TOCTOU bug in sendmsg() and recvmsg()
ClosedPublic

Authored by markj on Sep 17 2021, 9:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 24, 7:18 PM
Unknown Object (File)
Fri, Jan 24, 11:33 AM
Unknown Object (File)
Mon, Jan 13, 1:51 AM
Unknown Object (File)
Sun, Jan 12, 3:08 PM
Unknown Object (File)
Dec 26 2024, 9:46 PM
Unknown Object (File)
Dec 18 2024, 11:16 AM
Unknown Object (File)
Dec 5 2024, 3:00 AM
Unknown Object (File)
Dec 3 2024, 1:31 PM
Subscribers

Details

Summary

syzbot hit this panic with the 32-bit fuzzer, no reproducer:
https://syzkaller.appspot.com/bug?id=e47f8199fc594faea8cec1fa52354df6fd30e293

From reading the code, I believe the problem is that freebsd32_sendmsg()
and freebsd32_recvmsg() copyin the msghdr32, but then
freebsd32_copyinmsghdr() does it again. The iov pointer and iovlen from
the first copy are used to copyin the iovec, but the iovlen from the
second copy is the passed to the generic kern_sendit() and kern_recvit()
routines.

kern_sendit() and kern_recvit() loop over the iovec to compute
uio_resid, the sum of the iov lengths. If the iovec length changes
between the two copyins, we can end up walking past the end of the
iovec. I believe this is mostly harmless: at worst it can cause
corruption of user memory since it will cause uninitialized memory to be
treated as an array of iov's.

Reported by: syzbot+7cc64cd0c49605acd421@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 41576
Build 38465: arc lint + arc unit