Page MenuHomeFreeBSD

freebsd32: Make sendmsg match native ABI for unpadded final control message
ClosedPublic

Authored by jrtc27 on Sep 13 2022, 11:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 29, 3:26 PM
Unknown Object (File)
Nov 28 2024, 2:53 AM
Unknown Object (File)
Nov 12 2024, 12:59 AM
Unknown Object (File)
Nov 6 2024, 8:51 PM
Unknown Object (File)
Oct 26 2024, 12:13 PM
Unknown Object (File)
Oct 26 2024, 12:13 PM
Unknown Object (File)
Oct 26 2024, 12:13 PM
Unknown Object (File)
Oct 26 2024, 11:59 AM
Subscribers

Details

Summary

The API says that CMSG_SPACE should be used for msg_controllen, but in
practice the native ABI allows you to only use CMSG_LEN for the final
(typically only) control message, and real-world software does this,
including Wayland. For freebsd32, this is in practice mostly harmless,
since control messages are generally used to carry file descriptors,
which are already 4 bytes in size and thus no padding is needed, but
they can carry other quantities that may not result in an aligned
length. This was discovered after CheriBSD's freebsd64 equivalent was
updated to match the freebsd32 implementation, as that uses 8 byte
alignment which does break the file descriptor use case, and thus
Wayland.

This used to be addressed by aligning buflen before the first iteration,
but that allowed unwanted invalid inputs and was lost in 1b1428dcc82b,
with no safer equivalent put in its place.

Obtained from: CheriBSD
Fixes: 1b1428dcc82b ("Fix a TOCTOU vulnerability in freebsd32_copyin_control().")
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 47369
Build 44256: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.Sep 14 2022, 7:21 AM

The API says that CMSG_SPACE should be used for msg_controllen

The example in CMSG_DATA.3 uses CMSG_LEN(). :(

The API says that CMSG_SPACE should be used for msg_controllen

The example in CMSG_DATA.3 uses CMSG_LEN(). :(

For cmsg_len, which is correct. For msg_controllen it uses sizeof(cmsgbuf.buf), which is CMSG_SPACE(sizeof(int)).