From nobody Fri Oct 20 16:01:54 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SBq8f2w07z4xxFT; Fri, 20 Oct 2023 16:01:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SBq8f2SWHz3H5G; Fri, 20 Oct 2023 16:01:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697817714; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=h5V8y86895L5PW619sQ9XDTUVGvQ3P8M6CuxjQQAOP4=; b=BSpp8c3DPSQe5mXRFu8EEquf2kvVGu7GeW+SF9eDrDzdwlPtEDc6KIeBVtUwBm7LBxdOjH p0/OWztmw81U+ojHKsH6bIUqWr/zp+kadSV5H3cPXpPYVCCNZeiWuRXt5bWvRDAq0qkQWQ qbebde9cd7wf+Bk6gab3TzvuMxMS1j25vc8CHoH/7zGFGzB1+Bvocn6i6+hCiPJML0J34k 0KSwaftgGJxc9R4q82skaAT/lPKxhbH8vui9Kv2VxiANZGD1NLLKpDmYrcTwlR7r/piAfR 1uLTlSWbT7MgDOjBDPEwDYokhiOKVx0CFPmR34I9coNLXlgRtonY22MNwGoPXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697817714; a=rsa-sha256; cv=none; b=x8Y1FUpkRxJ29BoAckrfLVYVKiHIEtxcWy+EId6rDXwLzHwpvBAK4Wjil5EdMlNQ4L1L/2 F6jxHZkd6riRxxXw0cf9rpeGf6hKLK05guSts/o7MwCcIsxwiR38N436aQPpjHs2vvXIRA QyPzk+JIoKndJdzd7ne6LSGnMVLOXe19KxvP1OCmqWyQg4SJ744ASifahtvYkx4pZXihy/ VAWI2pTpWVXWgN95qCMbQESlgZv1JexI40X40kNPl8VaL/N1CEPlSJcR+PMn68c1Dn08Jj BErn4f1Yxq+JjMP51LMa25tQNfKyQ/z4PY+PfakWCiqjEuqzbxzlPVlb7zAFwA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697817714; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=h5V8y86895L5PW619sQ9XDTUVGvQ3P8M6CuxjQQAOP4=; b=iAJixXRXW0VJaS0fms8/5OeDFxTgOaQKmHS+37uaNb6Wj1lLXx9GXZu2wiE0uevlOk5EUP iNO8w8A8xeVrIxXuZa/nmW4Cim2wasL/TYCmub57t3ZzXmw1z5BT67mTN0nHM1/5TE60SO xC46b0wkXxd16ofUG6pz+IWg+D1yrzVgm+fKtowjsPJd/Fr8MfEXFLMnVKGZlhRzSdtRAj yqQTKyX1GcgjPJb0sZlkjePB51fOwtGlgiybSXptZrtMs1ny2hyiEYfDb39VdGym255WzH /YcZCrahDl7H8KGT70w4ngyM93BEgrUu+FdT6T3+1LkQT1M4mFBq8+ZdXyG0Ag== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SBq8f1Xbczfkj; Fri, 20 Oct 2023 16:01:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39KG1st0037806; Fri, 20 Oct 2023 16:01:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39KG1sVM037803; Fri, 20 Oct 2023 16:01:54 GMT (envelope-from git) Date: Fri, 20 Oct 2023 16:01:54 GMT Message-Id: <202310201601.39KG1sVM037803@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: a861521ac98f - stable/13 - ktrace: Handle uio_resid underflow via MSG_TRUNC List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: a861521ac98fbcb3ea3c9d21aa06ce5ec1d06b17 Auto-Submitted: auto-generated The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a861521ac98fbcb3ea3c9d21aa06ce5ec1d06b17 commit a861521ac98fbcb3ea3c9d21aa06ce5ec1d06b17 Author: Mark Johnston AuthorDate: 2023-10-16 20:11:55 +0000 Commit: Mark Johnston CommitDate: 2023-10-20 16:01:47 +0000 ktrace: Handle uio_resid underflow via MSG_TRUNC When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may intentionally underflow uio_resid so that userspace can find out how many bytes it should have asked for. If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to copy in beyond the end of the output buffer's iovec. In general this will silently cause the ktrace operation to fail since it'll result in EFAULT from uiomove(). Let's be more careful and make sure not to try and copy more bytes than we have. Fixes: be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for recvfrom()/recvmsg().") Reported by: syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com Reviewed by: kib MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42099 (cherry picked from commit 761ae1ce798add862d78728cc5ac5240ce7db779) --- sys/kern/uipc_syscalls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 61f6585fa789..ef3ebeb58176 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -962,7 +962,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg, AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa); #ifdef KTRACE if (ktruio != NULL) { - ktruio->uio_resid = len - auio.uio_resid; + /* MSG_TRUNC can trigger underflow of uio_resid. */ + ktruio->uio_resid = MIN(len - auio.uio_resid, len); ktrgenio(s, UIO_READ, ktruio, error); } #endif