From nobody Fri Jun 23 15:38:44 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QnhH71PG3z4gwtf; Fri, 23 Jun 2023 15:38:59 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QnhH61wtrz3lM0; Fri, 23 Jun 2023 15:38:58 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-6687446eaccso585499b3a.3; Fri, 23 Jun 2023 08:38:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687534736; x=1690126736; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=AnZitmzRc4FUzj0WNqwlHpGQYz2YGOBO7OSKjSnMucY=; b=qf9YdLd4CUzXR9/+R2ZvhZzWEEKa7p4xgs+IOgzUu8iYs4vYtKyJf6pqm+IkHzOMKD 6E3axKktwbDVcrGj/lzo2RDff+FJuNqzOJaJ6IcbTB+4Hl/cBgjRgwBir2v5RvkilGme ce5wknECcgpwXQ72a3PnOhNhCVgf/1Hc2aqz0NR7q5VKHfMUJ8zEDHgiIGm8JXKVgAbe lz0fsKDkQSORB+JXJgqLIen/uU8PDBob+xqBNCN2+8ueNsGiErtEFmTSYqzrB+ICBB0f tbpPe2sw0OFMJBhe7DYjRgIIg/aJBj8pVnDNybJVIpD2ZnBmTLsTcP9+H3WbzsNGhiWZ DecQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687534736; x=1690126736; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AnZitmzRc4FUzj0WNqwlHpGQYz2YGOBO7OSKjSnMucY=; b=WuE+azTGqOQvjyux7xVQPTZvIS2HOh4IIiRh8Ky758wS36bUTn1m9p7gtB6/JDZl1g JYeMWtZuPl2JkdnFojK0RFCIIZy/GJqoD+SFB4Z7th3ux/dFE6cYhC/ZBKP4bNuVuDJT BtoflgwYRxrd2yUePM/XiVCjqlNJIeTGH2u+Xa35CckmvLaTpgfpOqaqvQEsIkhuenOp tUnNNhUwR+jYACmCEmATnHeTsP0yWP4fH0u7kCHsCnLz7jsHRqccdqk6gtBPWtnCgAzP B67JhX4ieYHw0IvoPnyjrU5ZVqt/fT3FWAtfZCnPS11BnWX0uCzP1rS7yoPRL54KpoZw DiSw== X-Gm-Message-State: AC+VfDxYy/+hlw/MfWNDgsFrN1ONXOIhU87z91vy+ONPnfBjr5e/opAy ntSc7tPgvy1EUTONvvdmZeKpsY4L+gs= X-Google-Smtp-Source: ACHHUZ5gyBeEf0HWdvT7GJKP0jFMEv/nGdpCX6xr/zhrHHsh5maoNQqCdwqqeHajEdX8OWcKvo7sfw== X-Received: by 2002:a05:6a20:3caa:b0:121:4f94:654 with SMTP id b42-20020a056a203caa00b001214f940654mr20375101pzj.25.1687534735713; Fri, 23 Jun 2023 08:38:55 -0700 (PDT) Received: from smtpclient.apple (c-73-19-52-228.hsd1.wa.comcast.net. [73.19.52.228]) by smtp.gmail.com with ESMTPSA id v8-20020a62a508000000b0066a4e561beesm3649244pfm.173.2023.06.23.08.38.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 23 Jun 2023 08:38:55 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Enji Cooper List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: git: fc915f1be145 - main - pseudofs: Fix a potential out-of-bounds access in pfs_lookup() Date: Fri, 23 Jun 2023 08:38:44 -0700 Message-Id: <0BAC85B7-6A67-4F6E-87B8-97ABD2FF7075@gmail.com> References: <202306231509.35NF9sAk037726@gitrepo.freebsd.org> Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org In-Reply-To: <202306231509.35NF9sAk037726@gitrepo.freebsd.org> To: Mark Johnston X-Mailer: iPhone Mail (20F75) X-Rspamd-Queue-Id: 4QnhH61wtrz3lM0 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N > On Jun 23, 2023, at 08:09, Mark Johnston wrote: >=20 > =EF=BB=BFThe branch main has been updated by markj: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3Dfc915f1be145a52c53f6f1c3752= 5043216e32bb8 >=20 > commit fc915f1be145a52c53f6f1c37525043216e32bb8 > Author: Mark Johnston > AuthorDate: 2023-06-23 13:54:39 +0000 > Commit: Mark Johnston > CommitDate: 2023-06-23 13:54:39 +0000 >=20 > pseudofs: Fix a potential out-of-bounds access in pfs_lookup() >=20 > pseudofs nodes store their name in a flexible array member, so the node= > allocation is sized using the length of the name, including a nul > terminator. pfs_lookup() scans a directory of nodes, comparing names t= o > find a match. The comparison was incorrect and assumed that all node > names were at least as long as the name being looked up, which of cours= e > isn't true. >=20 > I believe the bug is mostly harmless since it cannot result in false > positive or negative matches from the lookup, but it triggers a KASAN > check. >=20 > Reported by: pho > Reviewed by: kib, Olivier Certner > MFC after: 2 weeks > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D40692 > --- > sys/fs/pseudofs/pseudofs_vnops.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_v= nops.c > index 53e4c2b6b85c..bf423f0ad4db 100644 > --- a/sys/fs/pseudofs/pseudofs_vnops.c > +++ b/sys/fs/pseudofs/pseudofs_vnops.c > @@ -537,8 +537,8 @@ pfs_lookup(struct vop_cachedlookup_args *va) > for (pn =3D pd->pn_nodes; pn !=3D NULL; pn =3D pn->pn_next) > if (pn->pn_type =3D=3D pfstype_procdir) > pdn =3D pn; > - else if (pn->pn_name[namelen] =3D=3D '\0' && > - bcmp(pname, pn->pn_name, namelen) =3D=3D 0) { > + else if (strncmp(pname, pn->pn_name, namelen) =3D=3D 0 && > + pn->pn_name[namelen] =3D=3D '\0') { > pfs_unlock(pd); > goto got_pnode; > } Naive question: should this be an && conditional or an || conditional? If th= e former, could this be simplified by using a direct NUL char equality check= instead of using strncmp? Thanks! -Enji=