From nobody Thu Dec 12 14:27:34 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y8FDR0rXrz5gLMl;
	Thu, 12 Dec 2024 14:27:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Y8FDQ62hpz4XZ6;
	Thu, 12 Dec 2024 14:27:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1734013654;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kWrNBa7ARXAHSeosnAjC14spMgGFWv78H0oYTdUTIFQ=;
	b=Mw3+tFwKEy5s1Mm/MTOumuEs03PqC45Igce+vTPcvAcCOc6dNyJfrit53te85CG+dTzJZR
	Fqh/F4ZLoTC0kAeh7fwiocNaJEhWyTkUSB764HTb14xamvt2rzfRZoG3JQTiJx2tDsgGJv
	wQWnWM3Iivghu2RN7subwXmJ4RjHfLziotmM3glDWNkaDPSTq5vJbAIXvAvij2ldDrt1jm
	tvSV9ggJvzwusStw/W0POVVBWdUDrj7mUMnsye6UbElxo5kQB67wBvuQQf6jRMBwZG0zL6
	Da6xy5wATPvHTskaP8pV4FaMNgDGmOdn5yAba7lzmqUV9yrVVrvdYqXpd9Xo5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1734013654;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kWrNBa7ARXAHSeosnAjC14spMgGFWv78H0oYTdUTIFQ=;
	b=SSqojkJJtEHFj33v1i05IwO9Ph3yfwAtkTfz6Wp85atBGAX9WGE/Bj1uvG1tAfsXuUzHiZ
	LgBIYJmQV0RUFfpiMsQDyxqcbenwMTc2vCGoLKqvOTlBRkqAItcPSWgwKgZxEyU2/4xIX8
	oEQ7ka4VbuZ//m1IJDW9nBgBeuxWHOqK9WxnvrFtpn/NvWFn88QstJ6PHOeO3TE6lv8Tnf
	3/iZMxcbscTJEco0eErRb/X6ZdJcNvNuHoGL0ZXLlkMvZLOWew962qQM97IbTgqlqCU1fR
	V6Ln8TPGRRd9wis0hOiFoUcNXK8y88qxF+LHppLecLvyLPn0y+IdOxhn1uf7Iw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734013654; a=rsa-sha256; cv=none;
	b=qvKGmWSO/ngL8O7ERMv8pEMKZFxpGgH43dM6pfe8PiaUtT10iQ7ni8wynliNnukQdIitel
	ksNQuSesR4OnaLkkJ1p/5+RbFROCAwo0glP8kRAj+ubYkj2jF36cKeOZTBIr0Z/Z65VovH
	Fcl+u/m4h1Iw3D7hhHLjrhE/g6eNb54rQ5+0uNJDdwusz6RP0+jnhKD9GpIifyY2kPal9X
	Ghc52G0vNMuDHcZRr9Jx/hS142h+fTgozN96fauFTBvIfc7q6mr1hYz2OcDVmf6fHYKArN
	K+hpikTf2DLO8HP5H2abtc7iZTIcZa5bGzfVhm9UvtuAUXAfWwjsT54G8TDxNg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Y8FDQ5fqvzvjH;
	Thu, 12 Dec 2024 14:27:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BCERYYP066065;
	Thu, 12 Dec 2024 14:27:34 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BCERY2G066062;
	Thu, 12 Dec 2024 14:27:34 GMT
	(envelope-from git)
Date: Thu, 12 Dec 2024 14:27:34 GMT
Message-Id: <202412121427.4BCERY2G066062@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 4f02a7d739b3 - main - inpcb: Remove bogus SO_REUSEPORT(_LB)
  checks in in_pcbbind()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 4f02a7d739b354eef38e19b25866f64842d69414
Auto-Submitted: auto-generated

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=4f02a7d739b354eef38e19b25866f64842d69414

commit 4f02a7d739b354eef38e19b25866f64842d69414
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-12-12 14:06:06 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-12-12 14:25:15 +0000

    inpcb: Remove bogus SO_REUSEPORT(_LB) checks in in_pcbbind()
    
    This check for SO_REUSEPORT was added way back in commit 52b65dbe85faf.
    Per the commit log, this commit restricted this port-stealing check to
    unicast addresses, and then only if the existing socket does not have
    SO_REUSEPORT set.  In other words, if there exists a socket bound to
    INADDR_ANY, and we bind a socket to INADDR_ANY with the same port, then
    the two sockets need not be owned by the same user if the existing
    socket has SO_REUSEPORT set.
    
    This is a surprising semantic; bugzilla PR 7713 gives some additional
    context.  That PR makes a case for the behaviour described above when
    binding to a multicast address.  But, the SO_REUSEPORT check is only
    applied when binding to a non-multicast address, so it doesn't really
    make sense.  In the PR the committer notes that "unicast applications
    don't set SO_REUSEPORT", which makes some sense, but also refers to
    "multicast applications that bind to INADDR_ANY", which sounds a bit
    suspicious.
    
    OpenBSD performs the multicast check, but not the SO_REUSEPORT check.
    DragonflyBSD removed the SO_REUSEPORT (and INADDR_ANY) checks back in
    2014 (commit 0323d5fde12a4).  NetBSD explicitly copied our logic and
    still has it.
    
    The plot thickens: 20 years later, SO_REUSEPORT_LB was ported from
    DragonflyBSD: this option provides similar semantics to SO_REUSEPORT,
    but for unicast addresses it causes incoming connections/datagrams to be
    distributed among all sockets in the group.  This commit (1a43cff92a20d)
    inverted the check for SO_REUSEPORT while adding one for
    SO_REUSEPORT_LB; this appears to have been inadvertent.  However:
    - apparently no one has noticed that the semantics were changed;
    - sockets belonging to different users can now be bound to the same port
      so long as they belong to a single lbgroup bound to INADDR_ANY, which
      is not correct.
    
    Simply remove the SO_REUSEPORT(_LB) checks, as their original
    justification was dubious and their current implementation is wrong; add
    some tests.
    
    Reviewed by:    glebius
    MFC after:      1 month
    Sponsored by:   Klara, Inc.
    Sponsored by:   Stormshield
    Differential Revision:  https://reviews.freebsd.org/D47832
---
 sys/netinet/in_pcb.c              |   4 +-
 sys/netinet6/in6_pcb.c            |   4 +-
 tests/sys/netinet/socket_afinet.c | 240 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 241 insertions(+), 7 deletions(-)

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index cfe3fd65e032..432cae68062a 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -925,9 +925,7 @@ in_pcbbind_avail(struct inpcb *inp, const struct in_addr laddr,
 			    (inp->inp_socket->so_type != SOCK_STREAM ||
 			     in_nullhost(t->inp_faddr)) &&
 			    (!in_nullhost(laddr) ||
-			     !in_nullhost(t->inp_laddr) ||
-			     (t->inp_socket->so_options & SO_REUSEPORT) ||
-			     (t->inp_socket->so_options & SO_REUSEPORT_LB) == 0) &&
+			     !in_nullhost(t->inp_laddr)) &&
 			    (inp->inp_cred->cr_uid != t->inp_cred->cr_uid))
 				return (EADDRINUSE);
 		}
diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index ada5058e56b3..51f2a29918fe 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -245,9 +245,7 @@ in6_pcbbind_avail(struct inpcb *inp, const struct sockaddr_in6 *sin6,
 			    (inp->inp_socket->so_type != SOCK_STREAM ||
 			     IN6_IS_ADDR_UNSPECIFIED(&t->in6p_faddr)) &&
 			    (!IN6_IS_ADDR_UNSPECIFIED(laddr) ||
-			     !IN6_IS_ADDR_UNSPECIFIED(&t->in6p_laddr) ||
-			     (t->inp_socket->so_options & SO_REUSEPORT) ||
-			     (t->inp_socket->so_options & SO_REUSEPORT_LB) == 0) &&
+			     !IN6_IS_ADDR_UNSPECIFIED(&t->in6p_laddr)) &&
 			    (inp->inp_cred->cr_uid != t->inp_cred->cr_uid))
 				return (EADDRINUSE);
 
diff --git a/tests/sys/netinet/socket_afinet.c b/tests/sys/netinet/socket_afinet.c
index 7076f084719a..ba8c03af46a6 100644
--- a/tests/sys/netinet/socket_afinet.c
+++ b/tests/sys/netinet/socket_afinet.c
@@ -2,6 +2,7 @@
  * SPDX-License-Identifier: BSD-2-Clause
  *
  * Copyright (c) 2019 Bjoern A. Zeeb
+ * Copyright (c) 2024 Stormshield
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -25,11 +26,17 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/cdefs.h>
+#include <sys/param.h>
 #include <sys/socket.h>
+#include <sys/wait.h>
+
 #include <netinet/in.h>
+
 #include <errno.h>
 #include <poll.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <unistd.h>
 
 #include <atf-c.h>
 
@@ -281,6 +288,235 @@ ATF_TC_BODY(socket_afinet_stream_reconnect, tc)
 	ATF_CHECK_EQ(0, rc);
 }
 
+/*
+ * Make sure that unprivileged users can't set the IP_BINDANY or IPV6_BINDANY
+ * socket options.
+ */
+ATF_TC(socket_afinet_bindany);
+ATF_TC_HEAD(socket_afinet_bindany, tc)
+{
+	atf_tc_set_md_var(tc, "require.user", "unprivileged");
+}
+ATF_TC_BODY(socket_afinet_bindany, tc)
+{
+	int s;
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	ATF_REQUIRE(s >= 0);
+	ATF_REQUIRE_ERRNO(EPERM,
+	    setsockopt(s, IPPROTO_IP, IP_BINDANY, &(int){1}, sizeof(int)) ==
+	    -1);
+	ATF_REQUIRE(close(s) == 0);
+
+	s = socket(AF_INET, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s >= 0);
+	ATF_REQUIRE_ERRNO(EPERM,
+	    setsockopt(s, IPPROTO_IP, IP_BINDANY, &(int){1}, sizeof(int)) ==
+	    -1);
+	ATF_REQUIRE(close(s) == 0);
+
+	s = socket(AF_INET6, SOCK_STREAM, 0);
+	ATF_REQUIRE(s >= 0);
+	ATF_REQUIRE_ERRNO(EPERM,
+	    setsockopt(s, IPPROTO_IPV6, IPV6_BINDANY, &(int){1}, sizeof(int)) ==
+	    -1);
+	ATF_REQUIRE(close(s) == 0);
+
+	s = socket(AF_INET6, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s >= 0);
+	ATF_REQUIRE_ERRNO(EPERM,
+	    setsockopt(s, IPPROTO_IPV6, IPV6_BINDANY, &(int){1}, sizeof(int)) ==
+	    -1);
+	ATF_REQUIRE(close(s) == 0);
+}
+
+/*
+ * Bind a socket to the specified address, optionally dropping privileges and
+ * setting one of the SO_REUSE* options first.
+ *
+ * Returns true if the bind succeeded, and false if it failed with EADDRINUSE.
+ */
+static bool
+child_bind(const atf_tc_t *tc, int type, struct sockaddr *sa, int opt, bool unpriv)
+{
+	const char *user;
+	pid_t child;
+
+	if (unpriv) {
+		if (!atf_tc_has_config_var(tc, "unprivileged_user"))
+			atf_tc_skip("unprivileged_user not set");
+		user = atf_tc_get_config_var(tc, "unprivileged_user");
+	} else {
+		user = NULL;
+	}
+
+	child = fork();
+	ATF_REQUIRE(child != -1);
+	if (child == 0) {
+		int s;
+
+		if (user != NULL) {
+			struct passwd *passwd;
+
+			passwd = getpwnam(user);
+			if (seteuid(passwd->pw_uid) != 0)
+				_exit(1);
+		}
+
+		s = socket(sa->sa_family, type, 0);
+		if (s < 0)
+			_exit(2);
+		if (bind(s, sa, sa->sa_len) == 0)
+			_exit(3);
+		if (errno != EADDRINUSE)
+			_exit(4);
+		if (opt != 0) {
+			if (setsockopt(s, SOL_SOCKET, opt, &(int){1},
+			    sizeof(int)) != 0)
+				_exit(5);
+		}
+		if (bind(s, sa, sa->sa_len) == 0)
+			_exit(6);
+		if (errno != EADDRINUSE)
+			_exit(7);
+		_exit(0);
+	} else {
+		int status;
+
+		ATF_REQUIRE_EQ(waitpid(child, &status, 0), child);
+		ATF_REQUIRE(WIFEXITED(status));
+		status = WEXITSTATUS(status);
+		ATF_REQUIRE_MSG(status == 0 || status == 6,
+		    "child exited with %d", status);
+		return (status == 6);
+	}
+}
+
+static bool
+child_bind_priv(const atf_tc_t *tc, int type, struct sockaddr *sa, int opt)
+{
+	return (child_bind(tc, type, sa, opt, false));
+}
+
+static bool
+child_bind_unpriv(const atf_tc_t *tc, int type, struct sockaddr *sa, int opt)
+{
+	return (child_bind(tc, type, sa, opt, true));
+}
+
+static int
+bind_socket(int domain, int type, int opt, bool unspec, struct sockaddr *sa)
+{
+	socklen_t slen;
+	int s;
+
+	s = socket(domain, type, 0);
+	ATF_REQUIRE(s >= 0);
+
+	if (domain == AF_INET) {
+		struct sockaddr_in sin;
+
+		bzero(&sin, sizeof(sin));
+		sin.sin_family = AF_INET;
+		sin.sin_len = sizeof(sin);
+		sin.sin_addr.s_addr = htonl(unspec ?
+		    INADDR_ANY : INADDR_LOOPBACK);
+		sin.sin_port = htons(0);
+		ATF_REQUIRE(bind(s, (struct sockaddr *)&sin, sizeof(sin)) == 0);
+
+		slen = sizeof(sin);
+	} else /* if (domain == AF_INET6) */ {
+		struct sockaddr_in6 sin6;
+
+		bzero(&sin6, sizeof(sin6));
+		sin6.sin6_family = AF_INET6;
+		sin6.sin6_len = sizeof(sin6);
+		sin6.sin6_addr = unspec ? in6addr_any : in6addr_loopback;
+		sin6.sin6_port = htons(0);
+		ATF_REQUIRE(bind(s, (struct sockaddr *)&sin6, sizeof(sin6)) == 0);
+
+		slen = sizeof(sin6);
+	}
+
+	if (opt != 0) {
+		ATF_REQUIRE(setsockopt(s, SOL_SOCKET, opt, &(int){1},
+		    sizeof(int)) == 0);
+	}
+
+	ATF_REQUIRE(getsockname(s, sa, &slen) == 0);
+
+	return (s);
+}
+
+static void
+multibind_test(const atf_tc_t *tc, int domain, int type)
+{
+	struct sockaddr_storage ss;
+	int opts[4] = { 0, SO_REUSEADDR, SO_REUSEPORT, SO_REUSEPORT_LB };
+	int s;
+	bool flags[2] = { false, true };
+	bool res;
+
+	for (size_t flagi = 0; flagi < nitems(flags); flagi++) {
+		for (size_t opti = 0; opti < nitems(opts); opti++) {
+			s = bind_socket(domain, type, opts[opti], flags[flagi],
+			    (struct sockaddr *)&ss);
+			for (size_t optj = 0; optj < nitems(opts); optj++) {
+				int opt;
+
+				opt = opts[optj];
+				res = child_bind_priv(tc, type,
+				    (struct sockaddr *)&ss, opt);
+				/*
+				 * Multi-binding is only allowed when both
+				 * sockets have SO_REUSEPORT or SO_REUSEPORT_LB
+				 * set.
+				 */
+				if (opts[opti] != 0 &&
+				    opts[opti] != SO_REUSEADDR && opti == optj)
+					ATF_REQUIRE(res);
+				else
+					ATF_REQUIRE(!res);
+
+				res = child_bind_unpriv(tc, type,
+				    (struct sockaddr *)&ss, opt);
+				/*
+				 * Multi-binding is only allowed when both
+				 * sockets have the same owner.
+				 * 
+				 * XXX-MJ we for some reason permit this when
+				 * binding to the unspecified address, but I
+				 * don't think that's right
+				 */
+				if (flags[flagi] && opts[opti] != 0 &&
+				    opts[opti] != SO_REUSEADDR && opti == optj)
+					ATF_REQUIRE(res);
+				else
+					ATF_REQUIRE(!res);
+			}
+			ATF_REQUIRE(close(s) == 0);
+		}
+	}
+}
+
+/*
+ * Try to bind two sockets to the same address/port tuple.  Under some
+ * conditions this is permitted.
+ */
+ATF_TC(socket_afinet_multibind);
+ATF_TC_HEAD(socket_afinet_multibind, tc)
+{
+	atf_tc_set_md_var(tc, "require.user", "root");
+	atf_tc_set_md_var(tc, "require.config", "unprivileged_user");
+}
+ATF_TC_BODY(socket_afinet_multibind, tc)
+{
+	multibind_test(tc, AF_INET, SOCK_STREAM);
+	multibind_test(tc, AF_INET, SOCK_DGRAM);
+	multibind_test(tc, AF_INET6, SOCK_STREAM);
+	multibind_test(tc, AF_INET6, SOCK_DGRAM);
+}
+
 ATF_TP_ADD_TCS(tp)
 {
 	ATF_TP_ADD_TC(tp, socket_afinet);
@@ -289,6 +525,8 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, socket_afinet_poll_no_rdhup);
 	ATF_TP_ADD_TC(tp, socket_afinet_poll_rdhup);
 	ATF_TP_ADD_TC(tp, socket_afinet_stream_reconnect);
+	ATF_TP_ADD_TC(tp, socket_afinet_bindany);
+	ATF_TP_ADD_TC(tp, socket_afinet_multibind);
 
 	return atf_no_error();
 }