From owner-dev-commits-src-main@freebsd.org Sat May 22 16:17:50 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4844D631408; Sat, 22 May 2021 16:17:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FnTCf1bZLz4T1q; Sat, 22 May 2021 16:17:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1DAD62751E; Sat, 22 May 2021 16:17:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 14MGHoIB031562; Sat, 22 May 2021 16:17:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 14MGHoYk031561; Sat, 22 May 2021 16:17:50 GMT (envelope-from git) Date: Sat, 22 May 2021 16:17:50 GMT Message-Id: <202105221617.14MGHoYk031561@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: e4b16f2fb18b - main - ktrace: Avoid recursion in namei() MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e4b16f2fb18bcb6ed2592a7b6983d5df04813a70 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2021 16:17:50 -0000 The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e4b16f2fb18bcb6ed2592a7b6983d5df04813a70 commit e4b16f2fb18bcb6ed2592a7b6983d5df04813a70 Author: Mark Johnston AuthorDate: 2021-05-22 16:07:32 +0000 Commit: Mark Johnston CommitDate: 2021-05-22 16:07:32 +0000 ktrace: Avoid recursion in namei() sys_ktrace() calls namei(), which may call ktrnamei(). But sys_ktrace() also calls ktrace_enter() first, so if the caller is itself being traced, the assertion in ktrace_enter() is triggered. And, ktrnamei() does not check for recursion like most other ktrace ops do. Fix the bug by simply deferring the ktrace_enter() call. Also make the parameter to ktrnamei() const and convert to ANSI. Reported by: syzbot+d0a4de45e58d3c08af4b@syzkaller.appspotmail.com Reviewed by: kib MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30340 --- sys/kern/kern_ktrace.c | 13 +++++-------- sys/sys/ktrace.h | 2 +- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 8783600df6b1..875c079df3b9 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -698,8 +698,7 @@ ktruserret(struct thread *td) } void -ktrnamei(path) - char *path; +ktrnamei(const char *path) { struct ktr_request *req; int namelen; @@ -1017,7 +1016,6 @@ sys_ktrace(struct thread *td, struct ktrace_args *uap) return (EINVAL); kiop = NULL; - ktrace_enter(td); if (ops != KTROP_CLEAR) { /* * an operation which requires a file argument. @@ -1025,23 +1023,22 @@ sys_ktrace(struct thread *td, struct ktrace_args *uap) NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, uap->fname, td); flags = FREAD | FWRITE | O_NOFOLLOW; error = vn_open(&nd, &flags, 0, NULL); - if (error) { - ktrace_exit(td); + if (error) return (error); - } NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; VOP_UNLOCK(vp); if (vp->v_type != VREG) { - (void) vn_close(vp, FREAD|FWRITE, td->td_ucred, td); - ktrace_exit(td); + (void)vn_close(vp, FREAD|FWRITE, td->td_ucred, td); return (EACCES); } kiop = ktr_io_params_alloc(td, vp); } + /* * Clear all uses of the tracefile. */ + ktrace_enter(td); if (ops == KTROP_CLEARFILE) { restart: sx_slock(&allproc_lock); diff --git a/sys/sys/ktrace.h b/sys/sys/ktrace.h index 50030d002f97..f1f9361f9f82 100644 --- a/sys/sys/ktrace.h +++ b/sys/sys/ktrace.h @@ -269,7 +269,7 @@ struct ktr_io_params; struct vnode *ktr_get_tracevp(struct proc *, bool); void ktr_io_params_free(struct ktr_io_params *); -void ktrnamei(char *); +void ktrnamei(const char *); void ktrcsw(int, int, const char *); void ktrpsig(int, sig_t, sigset_t *, int); void ktrfault(vm_offset_t, int);