From nobody Wed Dec 22 16:50:24 2021 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DB7F418F3D95; Wed, 22 Dec 2021 16:50:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JJzpS30gcz3MGS; Wed, 22 Dec 2021 16:50:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3F4B62066B; Wed, 22 Dec 2021 16:50:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BMGoO7o037939; Wed, 22 Dec 2021 16:50:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BMGoOBY037938; Wed, 22 Dec 2021 16:50:24 GMT (envelope-from git) Date: Wed, 22 Dec 2021 16:50:24 GMT Message-Id: <202112221650.1BMGoOBY037938@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Jessica Clarke Subject: git: d2ef3774306c - main - Fix buffer overread in preloaded hostuuid parsing List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrtc27 X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d2ef3774306c54f3999732fd02bdff39c6b4cf2a Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640191824; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=amGkms2MV5eONTiUSZ1Xv9LWq+MWwTlAt/N8AId9Kfg=; b=N3oiogbZnbL/UfyEiq7K5qLBjjcCAqBziBjxZUc9X5NEjLKMdXc1d7y5zQRxPX0tuNMZkb FN1N7C2GlY8EqeqNISJd83fcgIWXu8ihsSVe/nXiwAO0zA7aE8DwrPkQF9KE76htwAnL53 RCKqpGAxbrgZ+Xy1llevH9VBKy1IfKBUTqNlhFr/H/E+bc3P13/w4AccyTCOZamWnGcRYm AgAHMLAa/HB+Q0CRXWzKmHz7cwzYkCUp5AMZd3qtEzL6sDpR2TKMPwvAoGXS8ahGM999cm uajL2sC/54A3iJtJWlD2IlWneLtVpVEro7DsystnJ12TD4XWMrFOdOdrhg4Nbg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640191824; a=rsa-sha256; cv=none; b=EoQO8EfzX1w2nI6826yFFDa1jzftTInTAQ1lzJfWI9tYjXCiEIcVA3kW6n/YyP1b2oGMwX roDtua9e8P2jc0y2ejK0LvoAYSsEd9ekuN1T8SBw1QOKDDIMXyzC0lQ7/bXl0YTk48gwQR oy218u/L7PO4xUetNUq620qGwUxobgND9ckZ3TKYVv3crIUCDn4i9QkzvBhIhVtAS4a+rt PKSOLtxvcSVmEmUm4/1QJv8cKjWPovrBJUQ4/6cDXRYZvMzvN+pA9oNEYW46lM77BjiGWK 1+uA1Xzicp9fNIT0OTIy/4U38sARpE60OYAIv1pIWMbg2NRqviAeWhZrWKEeGw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=d2ef3774306c54f3999732fd02bdff39c6b4cf2a commit d2ef3774306c54f3999732fd02bdff39c6b4cf2a Author: Jessica Clarke AuthorDate: 2021-12-22 16:47:23 +0000 Commit: Jessica Clarke CommitDate: 2021-12-22 16:47:23 +0000 Fix buffer overread in preloaded hostuuid parsing Commit b6be9566d236 stopped prison0_init writing outside of the preloaded hostuuid's bounds. However, the preloaded data will not (normally) have a NUL in it, and so validate_uuid will walk off the end of the buffer in its call to sscanf. Previously if there was any whitespace in the string we'd at least know there's a NUL one past the end due to the off-by-one error, but now no such byte is guaranteed. Fix this by copying to a temporary buffer and explicitly adding a NUL. Whilst here, change the strlcpy call to use a far less suspicious argument for dstsize; in practice it's fine, but it's an unusual pattern and not necessary. Found by: CHERI Reviewed by: emaste, kevans, jhb MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D33616 --- sys/kern/kern_jail.c | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 377539f1d1bd..e505e9bf1276 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -239,6 +239,8 @@ prison0_init(void) { uint8_t *file, *data; size_t size; + char buf[sizeof(prison0.pr_hostuuid)]; + bool valid; prison0.pr_cpuset = cpuset_ref(thread0.td_cpuset); prison0.pr_osreldate = osreldate; @@ -258,10 +260,31 @@ prison0_init(void) while (size > 0 && data[size - 1] <= 0x20) { size--; } - if (validate_uuid(data, size, NULL, 0) == 0) { - (void)strlcpy(prison0.pr_hostuuid, data, - size + 1); - } else if (bootverbose) { + + valid = false; + + /* + * Not NUL-terminated when passed from loader, but + * validate_uuid requires that due to using sscanf (as + * does the subsequent strlcpy, since it still reads + * past the given size to return the true length); + * bounce to a temporary buffer to fix. + */ + if (size >= sizeof(buf)) + goto done; + + memcpy(buf, data, size); + buf[size] = '\0'; + + if (validate_uuid(buf, size, NULL, 0) != 0) + goto done; + + valid = true; + (void)strlcpy(prison0.pr_hostuuid, buf, + sizeof(prison0.pr_hostuuid)); + +done: + if (bootverbose && !valid) { printf("hostuuid: preload data malformed: '%.*s'\n", (int)size, data); }