From nobody Wed Apr 10 02:21:00 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VDmld0RKGz5GY4F;
	Wed, 10 Apr 2024 02:21:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VDmlc5WDlz4Jgy;
	Wed, 10 Apr 2024 02:21:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1712715660;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Y1WimzucT5v6AUAk/1kNKH2AcJB+1sMZs4PPuPzaA8o=;
	b=XPTQdVmv2Av2Bcw59/eDVy+E7XYDIEsBfOk9MJ8SGNkKhE+EPcKfuBmLxRuA96FX9Qzwgi
	9n5glfGyFGTk5e2XGLqMho3+qExo5AA5x7fRJ/8oAeDAKiGD3fnOcgjnYZxQlTrQhVJ4/+
	zm1GTqpd+E0lq9NwotycZHOa3dTg05nibOkPbl6qDU4sQMvMHKfawKCLdR1a1Z4BPYpTfW
	gYc8+JtxJazbxZHddhl0TEhSFdAhjmnYuN0HZKqkZBzhkHqa6fbfRGMOX+9dwwAs96oPyf
	JdQejEoHW8TsE4HqYfAYBjdzLjfmEiWPQix5TBbTSwycC66Kn0oTOFwwrYDYrg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712715660; a=rsa-sha256; cv=none;
	b=UKqZDhIP46GxbVL39NW9GX/giGA9iRTPBlOS7s/XSLzOSedmPRwYoL8/QdD9wLXO/zpH8F
	rS6bOboAo+3u4jDLHxit2Qq4Oh4LObs28xDrYPJinZZQtLAs/iZY1RldSYsUsMu7ubJu3u
	AlFZF99E6h09TEkS5e4elWOndRZZ8KqXPinxjsayBVtdTy+oD4hyAxdEz6TL6x324q6vCv
	i5FihiUPh4PH6gPybClIvJ6I9NC+hXGOhDZm0XStVVLwSi7q36EzlCb9iRrZjOqmicJ3B/
	heUKhOXcY8dZ7vzwcGqjmSK4q6O8OyoDdiUGlvvplJsnxmuChMtVBZrgBYEWvg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1712715660;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Y1WimzucT5v6AUAk/1kNKH2AcJB+1sMZs4PPuPzaA8o=;
	b=XJiEPVIeiB056HTMGxGKsXRWVCNMo5Z8fsTEuK8ca/4Q/rHot55ld7NwrBxnx92GTqpDd+
	RCtr223PP1XF93xC+b3eNU2sY6zKWSkRwbrE99nyQLFQH6fibTj08gQrBkoUXdKnH2Im6d
	k6QeOktxkm0qqGljk3ARdDEmeF0rcuYdD4Hu38H5tznY7/uSb9iWI7ayyKSsHr4YzpKEtd
	HrRbeuOf/cAetybkmx+MzN7aulY9qRYskzFGnsZNF1ogjTf0rVbjo9Bwlni4fHpBuqJExK
	t4UmbRWW68tmS/eESrWAQH86DABmhzyCMSjBF0jmJ+s2ab54ZuDTvQ9C4nekyA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VDmlc57NlzKPl;
	Wed, 10 Apr 2024 02:21:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43A2L0Vg079348;
	Wed, 10 Apr 2024 02:21:00 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43A2L0K9079345;
	Wed, 10 Apr 2024 02:21:00 GMT
	(envelope-from git)
Date: Wed, 10 Apr 2024 02:21:00 GMT
Message-Id: <202404100221.43A2L0K9079345@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Jake Freeland <jfree@FreeBSD.org>
Subject: git: b112232e4fb9 - main - uipc_shm: Copyin userpath for
  ktrace(2)
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: dev-commits-src-all+owner@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jfree
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: b112232e4fb931ebafae9d79fbc970e3df020b57
Auto-Submitted: auto-generated

The branch main has been updated by jfree:

URL: https://cgit.FreeBSD.org/src/commit/?id=b112232e4fb931ebafae9d79fbc970e3df020b57

commit b112232e4fb931ebafae9d79fbc970e3df020b57
Author:     Jake Freeland <jfree@FreeBSD.org>
AuthorDate: 2024-04-10 02:17:11 +0000
Commit:     Jake Freeland <jfree@FreeBSD.org>
CommitDate: 2024-04-10 02:17:11 +0000

    uipc_shm: Copyin userpath for ktrace(2)
    
    If userpath is not SHM_ANON, then copy it in early so ktrace(2) can
    record it. Without this change, ktrace(2) will attempt to strcpy a
    userspace string and trigger a page fault.
    
    Reported by:    syzbot+490b9c2a89f53b1b9779@syzkaller.appspotmail.com
    Fixes:          0cd9cde767c3
    Approved by:    markj (mentor)
    Reviewed by:    markj
    MFC after:      1 month
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D44702
---
 sys/kern/uipc_shm.c | 44 +++++++++++++++++++++++---------------------
 1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/sys/kern/uipc_shm.c b/sys/kern/uipc_shm.c
index 5347378c2b4d..14fe43524935 100644
--- a/sys/kern/uipc_shm.c
+++ b/sys/kern/uipc_shm.c
@@ -1173,18 +1173,6 @@ kern_shm_open2(struct thread *td, const char *userpath, int flags, mode_t mode,
 	if ((shmflags & SHM_ALLOW_SEALING) != 0)
 		initial_seals &= ~F_SEAL_SEAL;
 
-#ifdef CAPABILITY_MODE
-	/*
-	 * shm_open(2) is only allowed for anonymous objects.
-	 */
-	if (userpath != SHM_ANON) {
-		if (CAP_TRACING(td))
-			ktrcapfail(CAPFAIL_NAMEI, userpath);
-		if (IN_CAPABILITY_MODE(td))
-			return (ECAPMODE);
-	}
-#endif
-
 	AUDIT_ARG_FFLAGS(flags);
 	AUDIT_ARG_MODE(mode);
 
@@ -1209,6 +1197,26 @@ kern_shm_open2(struct thread *td, const char *userpath, int flags, mode_t mode,
 	if ((initial_seals & ~F_SEAL_SEAL) != 0)
 		return (EINVAL);
 
+	if (userpath != SHM_ANON) {
+		error = shm_copyin_path(td, userpath, &path);
+		if (error != 0)
+			return (error);
+
+#ifdef CAPABILITY_MODE
+		/*
+		 * shm_open(2) is only allowed for anonymous objects.
+		 */
+		if (CAP_TRACING(td))
+			ktrcapfail(CAPFAIL_NAMEI, path);
+		if (IN_CAPABILITY_MODE(td)) {
+			free(path, M_SHMFD);
+			return (ECAPMODE);
+		}
+#endif
+
+		AUDIT_ARG_UPATH1_CANON(path);
+	}
+
 	pdp = td->td_proc->p_pd;
 	cmode = (mode & ~pdp->pd_cmask) & ACCESSPERMS;
 
@@ -1220,8 +1228,10 @@ kern_shm_open2(struct thread *td, const char *userpath, int flags, mode_t mode,
 	 * in sys_shm_open() to keep this implementation compliant.
 	 */
 	error = falloc_caps(td, &fp, &fd, flags & O_CLOEXEC, fcaps);
-	if (error)
+	if (error) {
+		free(path, M_SHMFD);
 		return (error);
+	}
 
 	/* A SHM_ANON path pointer creates an anonymous object. */
 	if (userpath == SHM_ANON) {
@@ -1235,14 +1245,6 @@ kern_shm_open2(struct thread *td, const char *userpath, int flags, mode_t mode,
 		shmfd->shm_seals = initial_seals;
 		shmfd->shm_flags = shmflags;
 	} else {
-		error = shm_copyin_path(td, userpath, &path);
-		if (error != 0) {
-			fdclose(td, fp, fd);
-			fdrop(fp, td);
-			return (error);
-		}
-
-		AUDIT_ARG_UPATH1_CANON(path);
 		fnv = fnv_32_str(path, FNV1_32_INIT);
 		sx_xlock(&shm_dict_lock);
 		shmfd = shm_lookup(path, fnv);