Page MenuHomeFreeBSD
Differential D31313

pf: Fix ioctls which copy out arrays
ClosedPublic
Actions

Authored by markj on Jul 26 2021, 9:26 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 25, 4:17 PM
Unknown Object (File)
Oct 5 2024, 4:28 AM
Unknown Object (File)
Sep 24 2024, 3:29 AM
Unknown Object (File)
Sep 9 2024, 10:04 PM
Unknown Object (File)
Sep 9 2024, 9:36 PM
Unknown Object (File)
Sep 8 2024, 5:26 AM
Unknown Object (File)
Sep 5 2024, 9:18 PM
Unknown Object (File)
Sep 5 2024, 7:59 PM
View All 66 Files
Subscribers
farrokhi
imp
melifaro

Details

Reviewers
kp
mjg
Commits
rG2b82c57e3997: pf: Initialize arrays before copying out to userland
Summary

A number of pf ioctls which copy out arrays have the following
structure:

  • Caller specifies the size of the array
  • ioctl handler allocates a buffer to store it
  • ioctl handler populates the array, returning the actual number of items back to userland
  • ioctl handler copies the array to userland

It can happen that the caller specified a size larger than the resulting
array. In this case we were leaving some entries uninitialized but
copying them out anyway. This change modifies the ioctl handlers to
copy out only the number of array entries that we return.

Reported by: KMSAN
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jul 26 2021, 9:26 PM
Herald added subscribers: melifaro, farrokhi, imp. · View Herald TranscriptJul 26 2021, 9:26 PM
markj requested review of this revision.Jul 26 2021, 9:26 PM
markj added a child revision: D31314: pf: Zero table stats structures.
Harbormaster completed remote builds in B40685: Diff 92767.Jul 26 2021, 9:26 PM
markj updated this revision to Diff 92769.Jul 26 2021, 9:30 PM

Consistently use braces around multiline statements.

Harbormaster completed remote builds in B40687: Diff 92769.Jul 26 2021, 9:31 PM
kp added a comment.Jul 27 2021, 8:09 AM

This is clearly an improvement, but I think it doesn't cover everything.

All these call a function that can still fail to copy data into the buffer. If the provided size is too small they'll only update the size pointer and return 0. They will not write to the buffer. So we can still end up copying out an uninitialised array. (except for pfi_get_ifaces())
The easiest fix would be to add M_ZERO to the mallocarray() calls.

markj added a comment.Jul 27 2021, 7:56 PM
In D31313#705343, @kp wrote:

This is clearly an improvement, but I think it doesn't cover everything.

All these call a function that can still fail to copy data into the buffer. If the provided size is too small they'll only update the size pointer and return 0. They will not write to the buffer. So we can still end up copying out an uninitialised array. (except for pfi_get_ifaces())
The easiest fix would be to add M_ZERO to the mallocarray() calls.

Ah, I hadn't noticed this. It's kind of strange that we copy out even when we have nothing to copy.I did it this way partly to avoid needless zeroing of arrays that we're going to overwrite anyway, but it's probably best to just keep things simple and zero the arrays.

markj updated this revision to Diff 92827.Jul 27 2021, 8:29 PM

Simply zero arrays that get initialized by the kernel before being
copied out.

Harbormaster completed remote builds in B40696: Diff 92827.Jul 27 2021, 8:29 PM
kp accepted this revision.Jul 27 2021, 8:43 PM
This revision is now accepted and ready to land.Jul 27 2021, 8:43 PM
Closed by commit rG2b82c57e3997: pf: Initialize arrays before copying out to userland (authored by markj). · Explain WhyJul 28 2021, 2:41 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG2b82c57e3997: pf: Initialize arrays before copying out to userland.
markj mentioned this in D31314: pf: Zero table stats structures.Jul 28 2021, 2:42 PM

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
10 lines

Diff 92860

View Options

sys/netpfil/pf/pf_ioctl.c

Loading...