From nobody Mon Apr 29 02:49:28 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VSSTj27Pcz5J25S;
	Mon, 29 Apr 2024 02:49:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VSSTj1Rxhz4qTM;
	Mon, 29 Apr 2024 02:49:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1714358969;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=VKZ9eWF6SG+6TOkiG4TFHA9n3eIWa1FtnGIIyOHObTo=;
	b=s1SbWVo+7u3UgjI5zabWSQg25kukvsUmwYgqGSD3ZiY83OjakUOdsnBFj4vRtFQES5phPr
	VRYq6HZ98WGrRxLR5NNOBtkLXRE9oL7c+iUWoJBBOCEYSbURpc+l1F5w685ayE0kPCtn+a
	pZKw/puGd616YHlzlCztLj3+uOYQwBS++r2ME01d8FDnLvcy0lSoHAFxYHwH59AfM22zlr
	Q71KhdAN8dBs//sCeBHtDx5SOTbUan4shBXRR+Z/6vX+5mZicpTCldTicG/smMzx+DdRBI
	LeKVBQ5xs0z/H0jPqc8Fh6iWTngcUIbLe1yCqNsTRkdQEVEUflOzg6BUC+kR5g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1714358969; a=rsa-sha256; cv=none;
	b=vx5Im1FPqq5F2+FjTC5tNjGsKyQWI7wbRwFWc+qtiZbAfLFCh/43ZoS1qAf7znKf6fn4eU
	Z5QiWXWLcVlb2YlMfPcrpeAX0ugxejht0eULjI7K/6SjYo5Nl8Kii0wt4D0bptVPe1J+8o
	FRijMfJq9WDJ3QsC02TFAEjBNO5PshOBMJugV2Msk2v2d6Zkt+H2Ey1ri/JctN1ZvwwL7C
	gEV6xIgfp4n+FVJlmaVxxd83u2lJvn+3LGotNmdnTNjLmz7z9skfAPvfaR7spnYggpC2u9
	GCxDZb5ERLswWcWwPxU1rb5S0OMXJTg2VOCcaQrSevKdwyeESgS9FVMITuvJRg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1714358969;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=VKZ9eWF6SG+6TOkiG4TFHA9n3eIWa1FtnGIIyOHObTo=;
	b=RjNtrvikVARgy0fKCDywc9ccsxW5+1XZr/4r+DYJFJ0WiX5oOSXTQV7psRmVT/5mKmET59
	qQqeKVpCSLL4gwSsJFuG6QuC8SV1UccWKla5ZHHw7+Nu+NEIcn+IW4inr17tFBsWkbHamY
	YDvAFrBJsJc23C2girl15oKwySPOvdl6r1cPXFWOo5gHRhltVD7aDX0Nzlyde6blAvZ1SU
	VbsnRwq02BAAzguGck19TGEZqikoWmqRiL66/NjrMmhi5RWRMfmnpouNIcRsWfFeF70eVf
	iQ49Dmn8ThzoYLw8v4Nsv0YvphZcnO3sVCIEwBvLUXJc4akUFuO/rqBvK+mhzw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VSSTj0mTjzrfb;
	Mon, 29 Apr 2024 02:49:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43T2nT4T073442;
	Mon, 29 Apr 2024 02:49:29 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43T2nSsM073439;
	Mon, 29 Apr 2024 02:49:28 GMT
	(envelope-from git)
Date: Mon, 29 Apr 2024 02:49:28 GMT
Message-Id: <202404290249.43T2nSsM073439@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Olivier Certner <olce@FreeBSD.org>
Subject: git: 3e4989127020 - stable/14 - sys_procctl(): Make it
  clear that negative commands are invalid
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: olce
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 3e498912702094b35f61fd86e557c4f4148aead8
Auto-Submitted: auto-generated

The branch stable/14 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=3e498912702094b35f61fd86e557c4f4148aead8

commit 3e498912702094b35f61fd86e557c4f4148aead8
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-04-10 14:32:32 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2024-04-29 02:48:02 +0000

    sys_procctl(): Make it clear that negative commands are invalid
    
    An initial reading of the preamble of sys_procctl() gives the impression
    that no test prevents a malicious user from passing a negative commands
    index (in 'uap->com'), which is soon used as an index into the static
    array procctl_cmds_info[].
    
    However, a closer examination leads to the conclusion that the existing
    code is technically correct.  Indeed, the comparison of 'uap->com' to
    the nitems() expression, which expands to a ratio of sizeof(), leads to
    a conversion of 'uap->com' to an 'unsigned int' as per Usual Arithmetic
    Conversions/Integer Promotions applied by '<=', because sizeof() returns
    'size_t' values, and we define 'size_t' as an equivalent of 'unsigned
    int' (which is not mandated by the standard, the latter allowing, e.g.,
    integers of lower ranks).
    
    With this conversion, negative values of 'uap->com' are automatically
    ruled-out since they are converted to very big unsigned integers which
    are caught by the test.  An analysis of assembly code produced by LLVM
    16 on amd64 and practical tests confirm that no exploitation is possible.
    
    However, the guard code as written is misleading to readers and might
    trip up static analysis tools.  Make sure that negative values are
    explicitly excluded so that it is immediately clear that EINVAL will be
    returned in this case.
    
    Build tested with clang 16 and GCC 12.
    
    Approved by:    markj (mentor)
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit afc10f8bba3dd293a66461aaca41237c986b6ca7)
    
    Approved by:    emaste (mentor)
---
 sys/kern/kern_procctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/kern_procctl.c b/sys/kern/kern_procctl.c
index e6a142b2a7ac..9e860e7c80a5 100644
--- a/sys/kern/kern_procctl.c
+++ b/sys/kern/kern_procctl.c
@@ -1123,7 +1123,7 @@ sys_procctl(struct thread *td, struct procctl_args *uap)
 	if (uap->com >= PROC_PROCCTL_MD_MIN)
 		return (cpu_procctl(td, uap->idtype, uap->id,
 		    uap->com, uap->data));
-	if (uap->com == 0 || uap->com >= nitems(procctl_cmds_info))
+	if (uap->com <= 0 || uap->com >= nitems(procctl_cmds_info))
 		return (EINVAL);
 	cmd_info = &procctl_cmds_info[uap->com];
 	bzero(&x, sizeof(x));