Page MenuHomeFreeBSD
Differential D32010

compat32: Fix a TOCTOU bug in sendmsg() and recvmsg()
ClosedPublic
Actions

Authored by markj on Sep 17 2021, 9:10 PM.
Tags
None
Referenced Files
F107332477: D32010.diff
Sun, Jan 12, 3:08 PM
Unknown Object (File)
Thu, Dec 26, 9:46 PM
Unknown Object (File)
Wed, Dec 18, 11:16 AM
Unknown Object (File)
Dec 5 2024, 3:00 AM
Unknown Object (File)
Dec 3 2024, 1:31 PM
Unknown Object (File)
Nov 27 2024, 12:56 AM
Unknown Object (File)
Nov 21 2024, 8:25 PM
Unknown Object (File)
Nov 20 2024, 8:40 AM
View All 69 Files
Subscribers
imp

Details

Reviewers
emaste
kib
brooks
Commits
rGfea1a98ead91: freebsd32: Fix a double copyin in sendmsg() and recvmsg()
Summary

syzbot hit this panic with the 32-bit fuzzer, no reproducer:
https://syzkaller.appspot.com/bug?id=e47f8199fc594faea8cec1fa52354df6fd30e293

From reading the code, I believe the problem is that freebsd32_sendmsg()
and freebsd32_recvmsg() copyin the msghdr32, but then
freebsd32_copyinmsghdr() does it again. The iov pointer and iovlen from
the first copy are used to copyin the iovec, but the iovlen from the
second copy is the passed to the generic kern_sendit() and kern_recvit()
routines.

kern_sendit() and kern_recvit() loop over the iovec to compute
uio_resid, the sum of the iov lengths. If the iovec length changes
between the two copyins, we can end up walking past the end of the
iovec. I believe this is mostly harmless: at worst it can cause
corruption of user memory since it will cause uninitialized memory to be
treated as an array of iov's.

Reported by: syzbot+7cc64cd0c49605acd421@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 41576
Build 38465: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
compat/
freebsd32/
12 lines

Diff 95324

View Options

sys/compat/freebsd32/freebsd32_misc.c

Loading...