Differential D42099

ktrace: Handle uio_resid underflow via MSG_TRUNC
ClosedPublic
Actions

Authored by markj on Oct 5 2023, 9:36 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Tue, May 7, 5:13 PM

	Unknown Object (File)
	Apr 23 2024, 2:09 PM

	Unknown Object (File)
	Apr 23 2024, 2:09 PM

	Unknown Object (File)
	Apr 23 2024, 2:09 PM

	Unknown Object (File)
	Apr 23 2024, 1:57 PM

	Unknown Object (File)
	Feb 22 2024, 5:27 PM

	Unknown Object (File)
	Jan 31 2024, 12:39 PM

	Unknown Object (File)
	Jan 31 2024, 12:39 PM

View All 23 Files

Subscribers

Details

Reviewers

kib
glebius
tuexen

Commits

rG315dd7f2e12a: ktrace: Handle uio_resid underflow via MSG_TRUNC
rGeb965d4f0309: ktrace: Handle uio_resid underflow via MSG_TRUNC
rGa861521ac98f: ktrace: Handle uio_resid underflow via MSG_TRUNC
rG761ae1ce798a: ktrace: Handle uio_resid underflow via MSG_TRUNC

Summary

When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM
or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may
intentionally underflow uio_resid so that userspace can find out how
many bytes it should have asked for.

If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to
copy in beyond the end of the output buffer's iovec. In general this
will silently cause the ktrace operation to fail since it'll result in
EFAULT from uiomove(). Let's be more careful and make sure not to try
and copy more bytes than we have.

Reported by: syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Oct 5 2023, 9:36 PM

Herald added a subscriber: imp. · View Herald TranscriptOct 5 2023, 9:36 PM

markj requested review of this revision.Oct 5 2023, 9:36 PM

Harbormaster completed remote builds in B53862: Diff 128333.Oct 5 2023, 9:36 PM

markj added a parent revision: D42098: uiomove: Add some assertions.Oct 5 2023, 9:36 PM

markj added a reviewer: tuexen.Oct 5 2023, 9:37 PM

markj mentioned this in D42098: uiomove: Add some assertions.Oct 5 2023, 10:01 PM

kib accepted this revision.Oct 5 2023, 10:02 PM

kib added inline comments.

sys/kern/uipc_syscalls.c
951–952

This revision is now accepted and ready to land.Oct 5 2023, 10:02 PM

markj marked an inline comment as done.Oct 6 2023, 12:12 AM

Closed by commit rG761ae1ce798a: ktrace: Handle uio_resid underflow via MSG_TRUNC (authored by markj). · Explain WhyOct 17 2023, 1:38 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rG761ae1ce798a: ktrace: Handle uio_resid underflow via MSG_TRUNC.

markj added a commit: rGa861521ac98f: ktrace: Handle uio_resid underflow via MSG_TRUNC.Oct 20 2023, 4:02 PM

markj added a commit: rGeb965d4f0309: ktrace: Handle uio_resid underflow via MSG_TRUNC.

markj added a commit: rG315dd7f2e12a: ktrace: Handle uio_resid underflow via MSG_TRUNC.Oct 22 2023, 3:06 PM

Revision Contents
Changeset List

Path

Size

sys/

kern/

uipc_syscalls.c

3 lines

Diff 128908

sys/kern/uipc_syscalls.c

Loading...