Page MenuHomeFreeBSD

ktrace: Handle uio_resid underflow via MSG_TRUNC
ClosedPublic

Authored by markj on Oct 5 2023, 9:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 5, 7:05 AM
Unknown Object (File)
Sep 27 2024, 4:30 AM
Unknown Object (File)
Sep 17 2024, 11:41 PM
Unknown Object (File)
Sep 11 2024, 7:41 AM
Unknown Object (File)
Sep 9 2024, 3:23 PM
Unknown Object (File)
Sep 9 2024, 3:22 PM
Unknown Object (File)
Aug 28 2024, 3:38 AM
Unknown Object (File)
Aug 22 2024, 12:24 AM
Subscribers

Details

Summary

When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM
or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may
intentionally underflow uio_resid so that userspace can find out how
many bytes it should have asked for.

If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to
copy in beyond the end of the output buffer's iovec. In general this
will silently cause the ktrace operation to fail since it'll result in
EFAULT from uiomove(). Let's be more careful and make sure not to try
and copy more bytes than we have.

Reported by: syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj requested review of this revision.Oct 5 2023, 9:36 PM
kib added inline comments.
sys/kern/uipc_syscalls.c
951–952
This revision is now accepted and ready to land.Oct 5 2023, 10:02 PM