HomeFreeBSD
Diffusion FreeBSD src repository fea1a98ead91

freebsd32: Fix a double copyin in sendmsg() and recvmsg()
fea1a98ead91
Actions

Description

freebsd32: Fix a double copyin in sendmsg() and recvmsg()

freebsd32_sendmsg() and freebsd32_recvmsg() both copyin the message
header twice, once directly and once in freebsd32_copyinmsghdr(). The
iovec length from the former is used when copying in msg_iov, but the
rest of the kernel uses the iovec length from the latter. When
kern_sendit() and kern_recvit() iterate over the iovec to compute the
residual for I/O, they can therefore end up walking past the end of the
copied in iovec, either resulting in a system call error, userspace
memory corruption from uiomove() with invalid iovecs, or a kernel page
fault if the copied-in iovec is followed by an unmapped KVA region.

Reported by: syzbot+7cc64cd0c49605acd421@syzkaller.appspotmail.com
Reviewed by: kib, emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32010

Details

Provenance
markjAuthored on Sep 19 2021, 5:45 PM
Reviewer
kib
Differential Revision
D32010: compat32: Fix a TOCTOU bug in sendmsg() and recvmsg()
Parents
rG4bda16ff184b: freebsd32: Provide an ANSI definition for freebsd32_recvmsg()
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
sys/
compat/
freebsd32/

rGfea1a98ead91

View Options

sys/compat/freebsd32/freebsd32_misc.c

Loading...