From owner-dev-commits-src-branches@freebsd.org Fri Jul 30 00:33:14 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6E08E657A32; Fri, 30 Jul 2021 00:33:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GbSzt2jqjz4vdC; Fri, 30 Jul 2021 00:33:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4551F1B999; Fri, 30 Jul 2021 00:33:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 16U0XEiJ043597; Fri, 30 Jul 2021 00:33:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 16U0XEAi043596; Fri, 30 Jul 2021 00:33:14 GMT (envelope-from git) Date: Fri, 30 Jul 2021 00:33:14 GMT Message-Id: <202107300033.16U0XEAi043596@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: b76e41fca95f - stable/13 - Add required sysctl name length checks to various handlers MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: b76e41fca95f189a1bc759f3318c96ff8653ba01 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jul 2021 00:33:14 -0000 The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=b76e41fca95f189a1bc759f3318c96ff8653ba01 commit b76e41fca95f189a1bc759f3318c96ff8653ba01 Author: Mark Johnston AuthorDate: 2021-07-23 14:37:11 +0000 Commit: Mark Johnston CommitDate: 2021-07-30 00:32:58 +0000 Add required sysctl name length checks to various handlers Reported by: KMSAN Sponsored by: The FreeBSD Foundation (cherry picked from commit 0dcef81de9915e8ce1e3985204bebe7026d96b6f) --- sys/kern/kern_descrip.c | 20 ++++++++++++++++++++ sys/kern/kern_proc.c | 16 +++++++++++++++- sys/net/rtsock.c | 5 ++++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 36092c9acd42..c7269e4b33a9 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -4092,8 +4092,13 @@ sysctl_kern_proc_nfds(SYSCTL_HANDLER_ARGS) { NDSLOTTYPE *map; struct filedesc *fdp; + u_int namelen; int count, off, minoff; + namelen = arg2; + if (namelen != 1) + return (EINVAL); + if (*(int *)arg1 != 0) return (EINVAL); @@ -4482,8 +4487,13 @@ sysctl_kern_proc_filedesc(SYSCTL_HANDLER_ARGS) struct sbuf sb; struct proc *p; ssize_t maxlen; + u_int namelen; int error, error2, *name; + namelen = arg2; + if (namelen != 1) + return (EINVAL); + name = (int *)arg1; sbuf_new_for_sysctl(&sb, NULL, FILEDESC_SBUF_SIZE, req); @@ -4561,10 +4571,15 @@ sysctl_kern_proc_ofiledesc(SYSCTL_HANDLER_ARGS) struct filedesc *fdp; struct pwddesc *pdp; struct pwd *pwd; + u_int namelen; int error, i, lastfile, *name; struct file *fp; struct proc *p; + namelen = arg2; + if (namelen != 1) + return (EINVAL); + name = (int *)arg1; error = pget((pid_t)name[0], PGET_CANDEBUG | PGET_NOTWEXIT, &p); if (error != 0) @@ -4706,8 +4721,13 @@ sysctl_kern_proc_cwd(SYSCTL_HANDLER_ARGS) struct sbuf sb; struct proc *p; ssize_t maxlen; + u_int namelen; int error, error2, *name; + namelen = arg2; + if (namelen != 1) + return (EINVAL); + name = (int *)arg1; sbuf_new_for_sysctl(&sb, NULL, sizeof(struct kinfo_file), req); diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c index ec732e8db060..2017f824f6ad 100644 --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -2297,7 +2297,7 @@ static int sysctl_kern_proc_ovmmap(SYSCTL_HANDLER_ARGS) { vm_map_entry_t entry, tmp_entry; - unsigned int last_timestamp; + unsigned int last_timestamp, namelen; char *fullpath, *freepath; struct kinfo_ovmentry *kve; struct vattr va; @@ -2308,6 +2308,10 @@ sysctl_kern_proc_ovmmap(SYSCTL_HANDLER_ARGS) vm_map_t map; struct vmspace *vm; + namelen = arg2; + if (namelen != 1) + return (EINVAL); + name = (int *)arg1; error = pget((pid_t)name[0], PGET_WANTREAD, &p); if (error != 0) @@ -2678,8 +2682,13 @@ sysctl_kern_proc_vmmap(SYSCTL_HANDLER_ARGS) { struct proc *p; struct sbuf sb; + u_int namelen; int error, error2, *name; + namelen = arg2; + if (namelen != 1) + return (EINVAL); + name = (int *)arg1; sbuf_new_for_sysctl(&sb, NULL, sizeof(struct kinfo_vmentry), req); sbuf_clear_flags(&sb, SBUF_INCLUDENUL); @@ -2705,6 +2714,11 @@ sysctl_kern_proc_kstack(SYSCTL_HANDLER_ARGS) struct stack *st; struct sbuf sb; struct proc *p; + u_int namelen; + + namelen = arg2; + if (namelen != 1) + return (EINVAL); name = (int *)arg1; error = pget((pid_t)name[0], PGET_NOTINEXEC | PGET_WANTREAD, &p); diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 3cb645f42e4c..1f898c739725 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -2563,7 +2563,10 @@ sysctl_rtsock(SYSCTL_HANDLER_ARGS) u_char af; struct walkarg w; - name ++; + if (namelen < 3) + return (EINVAL); + + name++; namelen--; if (req->newptr) return (EPERM);