From nobody Mon Apr 29 05:34:06 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VSX7g1TZ0z5JJ8J; Mon, 29 Apr 2024 05:34:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VSX7f6Lsmz4Gp2; Mon, 29 Apr 2024 05:34:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714368846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4VJIuF57YQGJXWM3IhfcF3dgfT7A2BoLQJpJMp3O7D4=; b=DNdS/Tqf3l9SJnOTn9QysRt+Dl2mPtnl1A5NOrwgBfWTeKD219nC/1v1zI7EA4242Vucxl wZ2jNTQReL2VRmLGKQfX3aQMt1Um2XyL0hzQKQQckih6y4w4mNXuuk6JIWu9EoA1ipfYng IZXMiqZx6e/+y/1jOU3TrseAhbPahv/UcKGKocsTtphbY8IsF0q7vbW3gSRe76OVtIOaYB UF4rAqHHsnkxfvD6ppblMzQG9GWlIrnraj878MLcCaeBtP8dbsfRQEb9Y+Pw7aCw/zg29/ dj1usY4AnT1oH/EP3jnmWTPkC8Eo8TyrXTuoPB7EPwzMqkpXEQEHsCjDKk5J6A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1714368846; a=rsa-sha256; cv=none; b=h9EWMV4rk+y9k8vUfipruRBw8lueZHJTCGvuwhlCX2Zr0dlwgTx9MMCKlq7FNtxWIP5INs X1ndLM6CjzwB+XpTta5amtjYkxu1m9ccbbieYrB/Boj/9UkvO/G+jaE1IWSVnJd/hEpQQx ssGwK8B+izVka9/A2aC9Qsf9KCmL3+EXNbuiMmpX/+8p8KOo2pXP6fUl/WqhSs427jelKJ 3TGoZVzKtU+diCz/Z83w3IUatkKP++rqbsoIMw+xzR30DxvYIMBqB+vLOowtBPfao9QIoW +moPptu+Oh3JG/IC7iCXKaHAE/nuYCcnaBdgBtTa2HJaoUJBZ23Pk+xUeDGVZw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714368846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4VJIuF57YQGJXWM3IhfcF3dgfT7A2BoLQJpJMp3O7D4=; b=H0wnRULWnVWW2o3kayTnHyDC/X8Gmw8G37+4DaiC4jbtmlYNFHI3xior0Oy4UxV0xWWnAf xeeNwQMxnqDdOHyMn/pop3rSk17ReYPRZeG+5YyKSpItrnwX6DrLkNuNACbKb+2m9XN/KM S3ekfKSUaELtXD496RXGBDCbycfU7oVtyz/KTu7NoEoVbyvqE2TWYSLLGPUgVZ3GzU7G4P UIziT9SkL/5JgvUWZVpU8sVhpxsOCc/nlk9qNDmWL7kqb7VHWZVAp4oY1F5Rfn/uGV+QDm s5MJ1FsLP7FcbCrdmB2S85iFhplCqtuYLF2ZAQt3SYbca1xMoELMLReSUJcpsw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VSX7f5dx3zwdG; Mon, 29 Apr 2024 05:34:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43T5Y6CT063407; Mon, 29 Apr 2024 05:34:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43T5Y6Uv063405; Mon, 29 Apr 2024 05:34:06 GMT (envelope-from git) Date: Mon, 29 Apr 2024 05:34:06 GMT Message-Id: <202404290534.43T5Y6Uv063405@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: eb07a26af199 - stable/13 - sys_procctl(): Make it clear that negative commands are invalid List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: eb07a26af1996dc5a006cc14a670bd0583aba9c4 Auto-Submitted: auto-generated The branch stable/13 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=eb07a26af1996dc5a006cc14a670bd0583aba9c4 commit eb07a26af1996dc5a006cc14a670bd0583aba9c4 Author: Olivier Certner AuthorDate: 2024-04-10 14:32:32 +0000 Commit: Olivier Certner CommitDate: 2024-04-29 05:33:30 +0000 sys_procctl(): Make it clear that negative commands are invalid An initial reading of the preamble of sys_procctl() gives the impression that no test prevents a malicious user from passing a negative commands index (in 'uap->com'), which is soon used as an index into the static array procctl_cmds_info[]. However, a closer examination leads to the conclusion that the existing code is technically correct. Indeed, the comparison of 'uap->com' to the nitems() expression, which expands to a ratio of sizeof(), leads to a conversion of 'uap->com' to an 'unsigned int' as per Usual Arithmetic Conversions/Integer Promotions applied by '<=', because sizeof() returns 'size_t' values, and we define 'size_t' as an equivalent of 'unsigned int' (which is not mandated by the standard, the latter allowing, e.g., integers of lower ranks). With this conversion, negative values of 'uap->com' are automatically ruled-out since they are converted to very big unsigned integers which are caught by the test. An analysis of assembly code produced by LLVM 16 on amd64 and practical tests confirm that no exploitation is possible. However, the guard code as written is misleading to readers and might trip up static analysis tools. Make sure that negative values are explicitly excluded so that it is immediately clear that EINVAL will be returned in this case. Build tested with clang 16 and GCC 12. Approved by: markj (mentor) MFC after: 1 week Sponsored by: The FreeBSD Foundation (cherry picked from commit afc10f8bba3dd293a66461aaca41237c986b6ca7) Approved by: emaste (mentor) --- sys/kern/kern_procctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c index e6a142b2a7ac..9e860e7c80a5 100644 --- a/sys/kern/kern_procctl.c +++ b/sys/kern/kern_procctl.c @@ -1123,7 +1123,7 @@ sys_procctl(struct thread *td, struct procctl_args *uap) if (uap->com >= PROC_PROCCTL_MD_MIN) return (cpu_procctl(td, uap->idtype, uap->id, uap->com, uap->data)); - if (uap->com == 0 || uap->com >= nitems(procctl_cmds_info)) + if (uap->com <= 0 || uap->com >= nitems(procctl_cmds_info)) return (EINVAL); cmd_info = &procctl_cmds_info[uap->com]; bzero(&x, sizeof(x));