From nobody Wed Apr 10 15:16:11 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VF5y40gf9z5HH7R; Wed, 10 Apr 2024 15:16:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VF5y401b5z4m5w; Wed, 10 Apr 2024 15:16:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712762172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z91pCr4D/OhRZcNkNH0K2CCymy+32mKzabzqtXrTzKU=; b=lVQaRwOnps/L3i7diW80kXUNsytSEm/vVMCf9+eEJTShhVZYEt6+KN4wfVVe5xzIi6bIYm OgMNyhxZ/FjHEhw+SF0+MQvo2PS0AtC8JO+wn/0ENsnPbLgDTrQluUaLKZtLN9ZYBlfaf/ EAprgzZgKVMIVF4IWPg/B8YsTfWPDnlsi8jv+omYsFqb/vVyrrlVPq3Cx/dgWzrNJVhN85 W7vjJj4SHbFxqnX4N7f1fy4SOjDfOtM/r2HoCPHJ9tzuQsh4WLeGq2vkoYKhLk8gAQmV3g McUAchDJxsdQCT+9Ma/v5PKqUcrXeOYyAQ2vj/f+ydwAd9zAVdeuid7OT0CJiw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712762172; a=rsa-sha256; cv=none; b=PsfEdKfLnjwdvGnYeY+3UyJrTobvXrSZ5J9hRMX0dLfkHreb2RqsPyChAkArvPtaiwUtH3 Do4ur47oSDY/n4D+eBWf4bJZdGDkEeNvOSwB7mmNgi/12mb3twL7LxUMc3PCk14e/+e51d SfIBgZm85vRdOLxGPnQe2pYAhmwxBsMSurqlTJhbOvMUaHDHov5MorTtukrxOutxaJWx66 wTNqYhIRb1mrAUFN6ljyRkSV1m8glk0meZg9opyadPXT7FbIdR5+UI0/mo2N0KCSWVrOeC TgAvpcvUOLjz72ahdmACmEVx1Uq7Zh94P/AOZKiV1bJqZpJUnSKkE7IRJvIAnQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712762172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z91pCr4D/OhRZcNkNH0K2CCymy+32mKzabzqtXrTzKU=; b=dTuWRLUTuY7C8Ec2fQpYGWSEUaXkyyjjoGR9I2Akn+9MrjrbDpk8NzUaynDOgSSo8i87Pl U4jMOlWW8tTc5T/p9FYSxk3JlVsnsG4B4PbUn8DFmVdWZZcwLNUknFtsuCTMD9RcpTCYnI wZapOR+ky9NXT11y5o77XR9VIZauXjlJz+RQhkPP/Z0gDuADqFjRJrPhVWxmAbTFs2Vzfr K5Vx3R5u7m2oWX7uBY8NkNk4b3AQi9bkaFj15b6IRJOKNQ1KuuNukIcUHOCBnlpLoyNkls dB68omUY2DQU/QI0/rhHXbv/EjcwLur3I94g8esWpOFcio7QRrSTkjHlCsxgWw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VF5y36XcyzjjX; Wed, 10 Apr 2024 15:16:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43AFGBmr091914; Wed, 10 Apr 2024 15:16:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43AFGBpZ091911; Wed, 10 Apr 2024 15:16:11 GMT (envelope-from git) Date: Wed, 10 Apr 2024 15:16:11 GMT Message-Id: <202404101516.43AFGBpZ091911@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: afc10f8bba3d - main - sys_procctl(): Make it clear that negative commands are invalid List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: dev-commits-src-all+owner@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: afc10f8bba3dd293a66461aaca41237c986b6ca7 Auto-Submitted: auto-generated The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=afc10f8bba3dd293a66461aaca41237c986b6ca7 commit afc10f8bba3dd293a66461aaca41237c986b6ca7 Author: Olivier Certner AuthorDate: 2024-04-10 14:32:32 +0000 Commit: Olivier Certner CommitDate: 2024-04-10 15:15:25 +0000 sys_procctl(): Make it clear that negative commands are invalid An initial reading of the preamble of sys_procctl() gives the impression that no test prevents a malicious user from passing a negative commands index (in 'uap->com'), which is soon used as an index into the static array procctl_cmds_info[]. However, a closer examination leads to the conclusion that the existing code is technically correct. Indeed, the comparison of 'uap->com' to the nitems() expression, which expands to a ratio of sizeof(), leads to a conversion of 'uap->com' to an 'unsigned int' as per Usual Arithmetic Conversions/Integer Promotions applied by '<=', because sizeof() returns 'size_t' values, and we define 'size_t' as an equivalent of 'unsigned int' (which is not mandated by the standard, the latter allowing, e.g., integers of lower ranks). With this conversion, negative values of 'uap->com' are automatically ruled-out since they are converted to very big unsigned integers which are caught by the test. An analysis of assembly code produced by LLVM 16 on amd64 and practical tests confirm that no exploitation is possible. However, the guard code as written is misleading to readers and might trip up static analysis tools. Make sure that negative values are explicitly excluded so that it is immediately clear that EINVAL will be returned in this case. Build tested with clang 16 and GCC 12. Approved by: markj (mentor) MFC after: 1 week Sponsored by: The FreeBSD Foundation --- sys/kern/kern_procctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c index 46ddfaf709bd..150a8612c2f8 100644 --- a/sys/kern/kern_procctl.c +++ b/sys/kern/kern_procctl.c @@ -1126,7 +1126,7 @@ sys_procctl(struct thread *td, struct procctl_args *uap) if (uap->com >= PROC_PROCCTL_MD_MIN) return (cpu_procctl(td, uap->idtype, uap->id, uap->com, uap->data)); - if (uap->com == 0 || uap->com >= nitems(procctl_cmds_info)) + if (uap->com <= 0 || uap->com >= nitems(procctl_cmds_info)) return (EINVAL); cmd_info = &procctl_cmds_info[uap->com]; bzero(&x, sizeof(x));