git: b76e41fca95f - stable/13 - Add required sysctl name length checks to various handlers

Mark Johnston markj at FreeBSD.org
Fri Jul 30 00:33:14 UTC 2021 

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=b76e41fca95f189a1bc759f3318c96ff8653ba01

commit b76e41fca95f189a1bc759f3318c96ff8653ba01
Author:     Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-07-23 14:37:11 +0000
Commit:     Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-07-30 00:32:58 +0000

    Add required sysctl name length checks to various handlers
    
    Reported by:    KMSAN
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 0dcef81de9915e8ce1e3985204bebe7026d96b6f)
---
 sys/kern/kern_descrip.c | 20 ++++++++++++++++++++
 sys/kern/kern_proc.c    | 16 +++++++++++++++-
 sys/net/rtsock.c        |  5 ++++-
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index 36092c9acd42..c7269e4b33a9 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -4092,8 +4092,13 @@ sysctl_kern_proc_nfds(SYSCTL_HANDLER_ARGS)
 {
 	NDSLOTTYPE *map;
 	struct filedesc *fdp;
+	u_int namelen;
 	int count, off, minoff;
 
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+
 	if (*(int *)arg1 != 0)
 		return (EINVAL);
 
@@ -4482,8 +4487,13 @@ sysctl_kern_proc_filedesc(SYSCTL_HANDLER_ARGS)
 	struct sbuf sb;
 	struct proc *p;
 	ssize_t maxlen;
+	u_int namelen;
 	int error, error2, *name;
 
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+
 	name = (int *)arg1;
 
 	sbuf_new_for_sysctl(&sb, NULL, FILEDESC_SBUF_SIZE, req);
@@ -4561,10 +4571,15 @@ sysctl_kern_proc_ofiledesc(SYSCTL_HANDLER_ARGS)
 	struct filedesc *fdp;
 	struct pwddesc *pdp;
 	struct pwd *pwd;
+	u_int namelen;
 	int error, i, lastfile, *name;
 	struct file *fp;
 	struct proc *p;
 
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+
 	name = (int *)arg1;
 	error = pget((pid_t)name[0], PGET_CANDEBUG | PGET_NOTWEXIT, &p);
 	if (error != 0)
@@ -4706,8 +4721,13 @@ sysctl_kern_proc_cwd(SYSCTL_HANDLER_ARGS)
 	struct sbuf sb;
 	struct proc *p;
 	ssize_t maxlen;
+	u_int namelen;
 	int error, error2, *name;
 
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+
 	name = (int *)arg1;
 
 	sbuf_new_for_sysctl(&sb, NULL, sizeof(struct kinfo_file), req);
diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
index ec732e8db060..2017f824f6ad 100644
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -2297,7 +2297,7 @@ static int
 sysctl_kern_proc_ovmmap(SYSCTL_HANDLER_ARGS)
 {
 	vm_map_entry_t entry, tmp_entry;
-	unsigned int last_timestamp;
+	unsigned int last_timestamp, namelen;
 	char *fullpath, *freepath;
 	struct kinfo_ovmentry *kve;
 	struct vattr va;
@@ -2308,6 +2308,10 @@ sysctl_kern_proc_ovmmap(SYSCTL_HANDLER_ARGS)
 	vm_map_t map;
 	struct vmspace *vm;
 
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+
 	name = (int *)arg1;
 	error = pget((pid_t)name[0], PGET_WANTREAD, &p);
 	if (error != 0)
@@ -2678,8 +2682,13 @@ sysctl_kern_proc_vmmap(SYSCTL_HANDLER_ARGS)
 {
 	struct proc *p;
 	struct sbuf sb;
+	u_int namelen;
 	int error, error2, *name;
 
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+
 	name = (int *)arg1;
 	sbuf_new_for_sysctl(&sb, NULL, sizeof(struct kinfo_vmentry), req);
 	sbuf_clear_flags(&sb, SBUF_INCLUDENUL);
@@ -2705,6 +2714,11 @@ sysctl_kern_proc_kstack(SYSCTL_HANDLER_ARGS)
 	struct stack *st;
 	struct sbuf sb;
 	struct proc *p;
+	u_int namelen;
+
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
 
 	name = (int *)arg1;
 	error = pget((pid_t)name[0], PGET_NOTINEXEC | PGET_WANTREAD, &p);
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 3cb645f42e4c..1f898c739725 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -2563,7 +2563,10 @@ sysctl_rtsock(SYSCTL_HANDLER_ARGS)
 	u_char	af;
 	struct	walkarg w;
 
-	name ++;
+	if (namelen < 3)
+		return (EINVAL);
+
+	name++;
 	namelen--;
 	if (req->newptr)
 		return (EPERM);

More information about the dev-commits-src-all mailing list