Page MenuHomeFreeBSD
Differential D55881

linux: Fix sockopt copyout
ClosedPublic
Actions

Authored by chuck on Mar 16 2026, 6:34 PM.
Tags
None
Referenced Files
F160525983: D55881.id.diff
Thu, Jun 25, 8:53 AM
Unknown Object (File)
Wed, Jun 24, 12:13 PM
Unknown Object (File)
Wed, Jun 24, 5:09 AM
Unknown Object (File)
Wed, Jun 24, 3:36 AM
Unknown Object (File)
Tue, Jun 23, 6:44 AM
Unknown Object (File)
Sun, Jun 21, 3:00 AM
Unknown Object (File)
Sun, Jun 21, 3:00 AM
Unknown Object (File)
Sat, Jun 20, 6:21 PM
View All 39 Files
Subscribers
imp

Details

Reviewers
emaste
kib
markj
Commits
rG471fdd91d915: linux: Fix sockopt copyout
Summary

The Linux getsockopt did not check the size of the provided buffer when
copying out the value, leading to buffer overflows (e.g., for TCP_INFO).

Fix is to use the smaller of the option value size and the provided
buffer.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

chuck created this revision.Mar 16 2026, 6:34 PM
Herald added a subscriber: imp. · View Herald TranscriptMar 16 2026, 6:34 PM
chuck requested review of this revision.Mar 16 2026, 6:34 PM
Harbormaster completed remote builds in B71430: Diff 173763.Mar 16 2026, 6:34 PM
chuck added a child revision: D55882: linux: Add TCP_INFO support.Mar 16 2026, 6:35 PM
kib added inline comments.Mar 16 2026, 8:43 PM
sys/compat/linux/linux_socket.c
2319

Is it right to use FreeBSD-native type for socklen? Do we need e.g. linux_socklen_t, if we do not have it already?

chuck added inline comments.Mar 17 2026, 2:43 PM
sys/compat/linux/linux_socket.c
2319

There is a l_socklen_t in sys/amd64/linux/linux.h, but it is defined as an l_ulong. Since linux_getsockopt_args defines optlen as l_uintptr_t, perhaps this should be l_uint?

kib added inline comments.Mar 17 2026, 3:16 PM
sys/compat/linux/linux_socket.c
2319

But why l_uint? It should be l_socklen_t, no?

markj added inline comments.Mar 20 2026, 2:59 AM
sys/compat/linux/linux_socket.c
2319

In the Linux sources the type is int *. I don't know why our emulator uses l_uintptr_t, it looks incorrect. Probably that should be fixed.

chuck updated this revision to Diff 179313.Fri, Jun 5, 10:16 PM

Update change from review feedback

Harbormaster completed remote builds in B73716: Diff 179313.Fri, Jun 5, 10:16 PM
kib accepted this revision.Sat, Jun 6, 3:37 AM
This revision is now accepted and ready to land.Sat, Jun 6, 3:37 AM
markj added inline comments.Mon, Jun 8, 1:33 PM
sys/compat/linux/linux_socket.c
2321–2322

Now I don't understand what this change is fixing. Is it the loptlen < 0 check that's required?

chuck added inline comments.Mon, Jun 8, 6:04 PM
sys/compat/linux/linux_socket.c
2321–2322

The fix is the copyin() of optlen to reconcile how much data to copyout() (smaller of length passed to the function and the Linux buffer length).

The "less than zero" check is to account for the sign difference when converting Linux's integer optlen to (an unsigned) socklen_t in order to compare the buffer sizes.

chuck updated this revision to Diff 179402.Mon, Jun 8, 6:11 PM

Rebase

This revision now requires review to proceed.Mon, Jun 8, 6:11 PM
Harbormaster completed remote builds in B73750: Diff 179402.Mon, Jun 8, 6:11 PM
markj accepted this revision.Mon, Jun 8, 6:23 PM
This revision is now accepted and ready to land.Mon, Jun 8, 6:23 PM
Closed by commit rG471fdd91d915: linux: Fix sockopt copyout (authored by chuck). · Explain WhyMon, Jun 8, 9:29 PM
This revision was automatically updated to reflect the committed changes.
chuck added a commit: rG471fdd91d915: linux: Fix sockopt copyout.

Revision Contents
Changeset List

PathSize
sys/
compat/
linux/
17 lines

Diff 179413

View Options

sys/compat/linux/linux_socket.c

Loading...