From nobody Tue Oct 17 13:37:07 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S8w4z3J8Hz4xWnl; Tue, 17 Oct 2023 13:37:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S8w4z2bnkz3FnS; Tue, 17 Oct 2023 13:37:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697549827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=R4FYlXDS0Q2AbcG5PjbgGodc2JToTOXxmKmum7IFsng=; b=dAKIkxkvyQhr8bi1s11HbcnESTxmekMf13r7XZ0JQSkuZLUdSepBcppmlRnaSC4eGfNA2d +R6i99/9w9xmrAu1XMaaLJ9cKhVPBibgFQakeVyONuxMet4d3ehsjlxIJeeqx31hEnAPRL uySJlC5FjoM046NgTFOLld6clJ3Zq0zE2C55CAJMDOKYoK4OQm/6Mx2ejY51oB3sphjuY+ sVAG6uUskHMEEyFZPmbHVI6UlzehSChAK8nW+p0Lg7aW0Eo+DnTgR997X8cE7jG3RyM4wJ SyIoYoGHLk+3yvxmZdjs3Ve8fFXDgOIvTFnkFbsf2lOoMSSk4WPSz6mSPz8r9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697549827; a=rsa-sha256; cv=none; b=XI8DUGWS/FnpaEHZ46JcURlr9bo78NE3oxvg82qoJTtEa61/6eFThy9P3Z8hdHYMmHteVB NQa/HY5lVYdXUlbz7PyvJ8sx2GACexjuK+ve+Cs8YObVx760tGhgl4uRG2g/wN317zQ09m jwW8Dgpuxuq/mTvgXkYRHgAerZSVOvROA+/dK37bA3OULbte772768AR8X6bz9jNktJl6w m43mAXodR3inp+Y5inW1rFwu6cD3r30Qi5brv5f9MdGjr1oAMJiIsNHFlAHVvzqntOU0eU tTNpCWCcbDoWNVvKib42q+YWGRlkHKa7sqxIhuZYp1q5f+oCL7KIvGLqbYXk3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697549827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=R4FYlXDS0Q2AbcG5PjbgGodc2JToTOXxmKmum7IFsng=; b=QvHBMwMzc7AAaLo9CKneZr031JiQ3Jqala9DB4mSgOQJ4mwwEv4GcIIC3ne5rK3GUXY/dZ HnYOb9Xigy5Uxw3DjZj08KfjBBaChTQSR55aO7XjglL0d3xyII5qytg+HW94EBYZpBFa+P L+ZPBry6markdW7ZwLZkgBxInsNu1WBa4AVT+/E1x2IAsD95AVEwEA6iRYdMdMvgr6wnKm /P0QZQ8RIAY5/zRdmQm8WzjlawnSw+f+JMHukztLg/68/MBCkMzg282whE6IQfj9bYFy5V MtGitJukojH5eXjy/2RbXRLffIy6g4/l/JF5oOyV5jFaAANQ4TvkODhYAsxeLg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S8w4z1hZczBGj; Tue, 17 Oct 2023 13:37:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39HDb7w2095783; Tue, 17 Oct 2023 13:37:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39HDb76r095780; Tue, 17 Oct 2023 13:37:07 GMT (envelope-from git) Date: Tue, 17 Oct 2023 13:37:07 GMT Message-Id: <202310171337.39HDb76r095780@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 761ae1ce798a - main - ktrace: Handle uio_resid underflow via MSG_TRUNC List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 761ae1ce798add862d78728cc5ac5240ce7db779 Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=761ae1ce798add862d78728cc5ac5240ce7db779 commit 761ae1ce798add862d78728cc5ac5240ce7db779 Author: Mark Johnston AuthorDate: 2023-10-16 20:11:55 +0000 Commit: Mark Johnston CommitDate: 2023-10-17 13:12:19 +0000 ktrace: Handle uio_resid underflow via MSG_TRUNC When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may intentionally underflow uio_resid so that userspace can find out how many bytes it should have asked for. If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to copy in beyond the end of the output buffer's iovec. In general this will silently cause the ktrace operation to fail since it'll result in EFAULT from uiomove(). Let's be more careful and make sure not to try and copy more bytes than we have. Fixes: be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for recvfrom()/recvmsg().") Reported by: syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com Reviewed by: kib MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42099 --- sys/kern/uipc_syscalls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2dad9d487290..c7c2e6544902 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -948,7 +948,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg, AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa); #ifdef KTRACE if (ktruio != NULL) { - ktruio->uio_resid = len - auio.uio_resid; + /* MSG_TRUNC can trigger underflow of uio_resid. */ + ktruio->uio_resid = MIN(len - auio.uio_resid, len); ktrgenio(s, UIO_READ, ktruio, error); } #endif