From nobody Thu Sep 15 16:17:03 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MT2Ql2Zkxz4cjH4; Thu, 15 Sep 2022 16:17:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MT2Ql22BHz3Q55; Thu, 15 Sep 2022 16:17:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1663258623; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V3jCL04XGmRxScn+4GlCyBRVABO9eTxMtBbuMFYuPhE=; b=nBMOHrMm4/sNkXtFzYIUu9J/nemHHDBQGLU6/im6zCZrBpuHYDkp3/LWl/m+m3jMluzh0a L3riFMgKH5FwwVVXBmqhmx2eIO7JTuRG7W+9o8mNCIxfbY0o3nQ52qLBmgzgxe7p8/dcy8 EQ4vP6WnRDSZodvHis2qxLICA/jn1r/mC/5sRhnkTwHKzMNWhRiwBPcnomS0b84hRwNiW3 FXcsAd4DasvmXxk1YKQE05Sg6jWhI2c2MDwfwXW/HUaGCSGMVtvLrUbWdUh1P3hdbwsAVh Dl5APybEa5/RmGR9yvk8JNoVcsLCA7OsGqPDSumD3lHFZFfixl9C8/upy5tR4g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MT2Ql12cVz14Vf; Thu, 15 Sep 2022 16:17:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 28FGH3it023486; Thu, 15 Sep 2022 16:17:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 28FGH3Z9023485; Thu, 15 Sep 2022 16:17:03 GMT (envelope-from git) Date: Thu, 15 Sep 2022 16:17:03 GMT Message-Id: <202209151617.28FGH3Z9023485@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Jessica Clarke Subject: git: 7b673a2c73d0 - main - freebsd32: Make sendmsg match native ABI for unpadded final control message List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrtc27 X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7b673a2c73d0577e2c006aeb110295a522b98135 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1663258623; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V3jCL04XGmRxScn+4GlCyBRVABO9eTxMtBbuMFYuPhE=; b=elRZU090zZIe3cP0943kv8ZGQTfjOaA/Hcm5LbszQBTAM11LwQFTbdJQmUSGjML4sC13AR 3UEObbg9r51pNIDijwsOgVpJzQjnKVsGYqbdArqYS5vd4n/6crpLxOdNR3h/tme9OWZybM zzff/g2H5gmegNqYleWPrBa3KBSa9JlPq3yNj9r9P+xlOknwDiaQRJFLw3nNMNIHf3CAlG 7uXZUcqLGXK2s/OzFRF8g7siNb2PPTOfVbpbje1TbHjzGtvGH+jH1lVi1X16MuL7j+UJ+8 2YD2UwDhHyQfkNLtzBV2sAXvNxpHZsPWZySuAp6unhH4vWCnMADhYviAdBkEfA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1663258623; a=rsa-sha256; cv=none; b=g77xvHCj++WoLyg5vvJR5kNlcddO2dwaDJ/NYx99k9bhRwT4z3es9Pjs88yS5+QySkP9wK n94stISGE5kyt2QTOt0v3gJgyIA50JjDxl7qFa8HXkOIjzD8KDCC0e28N55JlrZjG+ZfIK 0VVUYYM0te43WR5ABSUOXwUL/+rMIF0Wi3dV3jWZJN1F+22wEP9ksObbufgItl8LQC/OOF pOu8uVSFvJj8h3qBk5lDBFBcTftTXRz2lFhvE0/TgJ0TYyGEkWKMVa8FarGS8RKhtASfdx 6DpxFpduB9amJSgKPjyWFpJZj/xcq94P+SIyKqB9MI2OzaHHD1vzgx10cgl19g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=7b673a2c73d0577e2c006aeb110295a522b98135 commit 7b673a2c73d0577e2c006aeb110295a522b98135 Author: Jessica Clarke AuthorDate: 2022-09-15 16:16:22 +0000 Commit: Jessica Clarke CommitDate: 2022-09-15 16:16:22 +0000 freebsd32: Make sendmsg match native ABI for unpadded final control message The API says that CMSG_SPACE should be used for msg_controllen, but in practice the native ABI allows you to only use CMSG_LEN for the final (typically only) control message, and real-world software does this, including Wayland. For freebsd32, this is in practice mostly harmless, since control messages are generally used to carry file descriptors, which are already 4 bytes in size and thus no padding is needed, but they can carry other quantities that may not result in an aligned length. This was discovered after CheriBSD's freebsd64 equivalent was updated to match the freebsd32 implementation, as that uses 8 byte alignment which does break the file descriptor use case, and thus Wayland. This used to be addressed by aligning buflen before the first iteration, but that allowed unwanted invalid inputs and was lost in 1b1428dcc82b, with no safer equivalent put in its place. Reviewed by: brooks, kib, markj Obtained from: CheriBSD Fixes: 1b1428dcc82b ("Fix a TOCTOU vulnerability in freebsd32_copyin_control().") MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D36554 --- sys/compat/freebsd32/freebsd32_misc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index b4c212ecd38d..a52b33a72f8a 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -1556,15 +1556,19 @@ freebsd32_copyin_control(struct mbuf **mp, caddr_t buf, u_int buflen) break; } cm = (struct cmsghdr *)in1; - if (cm->cmsg_len < FREEBSD32_ALIGN(sizeof(*cm))) { + if (cm->cmsg_len < FREEBSD32_ALIGN(sizeof(*cm)) || + cm->cmsg_len > buflen) { error = EINVAL; break; } msglen = FREEBSD32_ALIGN(cm->cmsg_len); - if (msglen > buflen || msglen < cm->cmsg_len) { + if (msglen < cm->cmsg_len) { error = EINVAL; break; } + /* The native ABI permits the final padding to be omitted. */ + if (msglen > buflen) + msglen = buflen; buflen -= msglen; in1 = (char *)in1 + msglen;