From nobody Fri Oct 20 16:02:28 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SBq9K1l2cz4xxFh; Fri, 20 Oct 2023 16:02:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SBq9K18v6z3HZ1; Fri, 20 Oct 2023 16:02:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697817749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jKkIO8fI7pgSH12K0TjkxUzJVFTse9HwfQDH0Fsp3vs=; b=qVn+zLfE3GnO8SqA3maVgQZqpeuiX3HY/VjZIlNI5dkPsIQivsBzM6wkKqm/8i4DVtFkt/ DYJEOTULZP2SuZEEjVBYGvnLnZ4C+6waERryjecLEeUAH6lZujdSN2zRQ1MT+UoEwpFNI9 vdSbeo2A5JFSieX66K1XW8eySYF66Uxs+FcLt3PZqPyMHExLWnMZgwwRHSjNqNp5JzGfki epPzDxibIKVGnbHron7T6F4gO/Bax+Owq0zJqxHCaleKCulLL4zRKO1B/JT+prbVKyJeRD AI3v8JXi/Sp4ZfiumfDc7ItRWz1dvY6dMfNvZlhPota9adwTevML2yaypNDSYg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697817749; a=rsa-sha256; cv=none; b=ysYyMMVuDlw3lAxVcwFGqB0UK5d8Zl1cUjHCMgF7e4qa/mOHvRblPbsPyanNAqAGiZfHu6 lF0IbCyQeaaGBHMIz6K1PDJkyncCwURCekYmp3FZVRZ6FBCNi4TizwmkN8YG7XKOCptl5V qj0v7x4u1GM9M9Znibg7eFTIMYVSfY6sxHrnhnt7hJvpUERzVLLR0vqrU9TFthneL2I4gK 3OvLgsvunafi1LgJwgOFKEXmR9XN1rBnXd6mGObwOq8wXAmb77ctCQei2bZO/AQtlqQC4Z PgURH38mxgKGmrgqdSruVmnShpb7idLrbklHQr0L0E3dtO4SWqsnFHuJsqFBfQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697817749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jKkIO8fI7pgSH12K0TjkxUzJVFTse9HwfQDH0Fsp3vs=; b=hbCaQBE4gDO1u5/zYt5vBVzzjm0zFg8hea1yGKmqEizyn6OU60pj8VSts+vzHJcHxfe9u3 A1r8cdoPVB5W5AmeOXmWPwNC8f0NU6sdKS6Mp57NZESg9niBF/JyRDESHsCSH0xiYzSeiA TxjTruZ+pYyMBCXb5TCQFVsjsuDns8DASCdsgXTMzR0DLHeA5vXdBK78jLL1DMJGaq1NiA nj7lsFFtcUz1wzGdsXElCyZneEOpcbFE9V87oKOqb5kJuBZNoE4G9We2L46nkIfjwcLMXv VKHM8GZshcPAGSiPYNzi2aSZVMz4JG/XHmbm/sxOytep0QmZ0kyrx0jd5Xwf/w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SBq9K0CY0zfhL; Fri, 20 Oct 2023 16:02:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39KG2Sns038903; Fri, 20 Oct 2023 16:02:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39KG2S9Y038900; Fri, 20 Oct 2023 16:02:28 GMT (envelope-from git) Date: Fri, 20 Oct 2023 16:02:28 GMT Message-Id: <202310201602.39KG2S9Y038900@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: eb965d4f0309 - stable/14 - ktrace: Handle uio_resid underflow via MSG_TRUNC List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: eb965d4f0309514893745e6cfae998495e76d941 Auto-Submitted: auto-generated The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=eb965d4f0309514893745e6cfae998495e76d941 commit eb965d4f0309514893745e6cfae998495e76d941 Author: Mark Johnston AuthorDate: 2023-10-16 20:11:55 +0000 Commit: Mark Johnston CommitDate: 2023-10-20 16:02:05 +0000 ktrace: Handle uio_resid underflow via MSG_TRUNC When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may intentionally underflow uio_resid so that userspace can find out how many bytes it should have asked for. If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to copy in beyond the end of the output buffer's iovec. In general this will silently cause the ktrace operation to fail since it'll result in EFAULT from uiomove(). Let's be more careful and make sure not to try and copy more bytes than we have. Fixes: be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for recvfrom()/recvmsg().") Reported by: syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com Reviewed by: kib MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42099 (cherry picked from commit 761ae1ce798add862d78728cc5ac5240ce7db779) --- sys/kern/uipc_syscalls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2dad9d487290..c7c2e6544902 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -948,7 +948,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg, AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa); #ifdef KTRACE if (ktruio != NULL) { - ktruio->uio_resid = len - auio.uio_resid; + /* MSG_TRUNC can trigger underflow of uio_resid. */ + ktruio->uio_resid = MIN(len - auio.uio_resid, len); ktrgenio(s, UIO_READ, ktruio, error); } #endif