From nobody Mon Jan 30 20:07:15 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P5K373P7jz3cPW8;
	Mon, 30 Jan 2023 20:07:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4P5K372rMJz3nfC;
	Mon, 30 Jan 2023 20:07:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1675109235;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=TaRiIab8WV7/VZPCvMslOD10/ZzXRL1Nw3roUepw8yw=;
	b=wlPyJQ5FZm2o1Bjss9Y7y58cKI9p8EVwxVcc2zCzYU7JJhAOdahg0YBuJxL+BNMPGp8VIZ
	7IGGQNCuvRhqzfVPb/62CIacRZzQNkRk7uoDJHCQYamM2fs3PH9CNlZ40dSuAWgTHG0/2e
	m0KYh1sb6YB2l3isrpYfJ8njO/QxnfdLzFU+dXXR7z9XXXy5S7ylS2rCTSP4P541ig+Fsj
	x9OwPSnX6dIUPyj2TBdVELTWVtQ0PrlstMr1mOt79akbG24R5cLYd39MsmQxMWQvy7CT0U
	47QR2vsa+2RVTPdSnelFj8sjeYpRTRQxwW44xxXiI80+nmlSB5AAIKNJBHVocw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1675109235;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=TaRiIab8WV7/VZPCvMslOD10/ZzXRL1Nw3roUepw8yw=;
	b=pJ8Vl3J+AJMB84X9xFn8MXcsXKWG4hqkaN1TMFWjYGp5AHN0vlEVlhLX0PfbLEcgXXoSlS
	YSVRpdkrg2Gv5lXKMrITMA2FYr8UOYc5K1ST47zymxOLqMdCU1xdG3CK+lxyk8XLDk9gmV
	BQx825Pdj2741HkydS49g5r8odXLZR8EQbw1XizG5q2tMXZCUc97p4nbGZoc6k5eX1Ols8
	1HejN5NdcldIM8gsHkrw+Q4aC3UOCM+NzN3KMEu2OF0yaUrx9Ar5/ylRTxNxtcVJcMwm2K
	D4FAgE8TONlVZQ0yKiM4tzAFxtU5kIpRo30+K6oVY5HmqnjcwdW0GRr1w8+BMA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675109235; a=rsa-sha256; cv=none;
	b=wzbo83KXgkYgs75uCU1nj7I1WgI4VLiJl4nXVg0wRGrdYEpvaH9U4WkItgTjbCdKnlXrXK
	DT43rAG/HfQ9QPQ5Xd9lnwU9KtH6wiCQJI/up2tRgoQTQC+ZvR520RUE3G96UM1iLrSdhM
	1WCUUclql/tQs0IRRZxDU+p9qMcom9TX7IEUSQ/Kve5susyzh2TtffxPhTh6Yoi1w8FBuN
	hRXv1yMP41i+O30eaGy/sOQ0xqV2su7Vq/OvbM4qPyrm0kqRC+JCmjkOCDO/Ydzb/QbV62
	1bdsXFYuCvOLInOSO0ObjPqRgj0o53vQiJk0glsmrsxz2wldquXbrnAhh0BUCg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P5K371LHqzLxC;
	Mon, 30 Jan 2023 20:07:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30UK7FI1074207;
	Mon, 30 Jan 2023 20:07:15 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30UK7FKr074206;
	Mon, 30 Jan 2023 20:07:15 GMT
	(envelope-from git)
Date: Mon, 30 Jan 2023 20:07:15 GMT
Message-Id: <202301302007.30UK7FKr074206@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Brooks Davis <brooks@FreeBSD.org>
Subject: git: 31068ff99c43 - stable/13 - freebsd32: Make sendmsg match native ABI for unpadded final control message
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: brooks
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 31068ff99c4354cc75fd96786da78931dc1012fd
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by brooks:

URL: https://cgit.FreeBSD.org/src/commit/?id=31068ff99c4354cc75fd96786da78931dc1012fd

commit 31068ff99c4354cc75fd96786da78931dc1012fd
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2022-09-15 16:16:22 +0000
Commit:     Brooks Davis <brooks@FreeBSD.org>
CommitDate: 2023-01-30 19:35:53 +0000

    freebsd32: Make sendmsg match native ABI for unpadded final control message
    
    The API says that CMSG_SPACE should be used for msg_controllen, but in
    practice the native ABI allows you to only use CMSG_LEN for the final
    (typically only) control message, and real-world software does this,
    including Wayland. For freebsd32, this is in practice mostly harmless,
    since control messages are generally used to carry file descriptors,
    which are already 4 bytes in size and thus no padding is needed, but
    they can carry other quantities that may not result in an aligned
    length. This was discovered after CheriBSD's freebsd64 equivalent was
    updated to match the freebsd32 implementation, as that uses 8 byte
    alignment which does break the file descriptor use case, and thus
    Wayland.
    
    This used to be addressed by aligning buflen before the first iteration,
    but that allowed unwanted invalid inputs and was lost in 1b1428dcc82b,
    with no safer equivalent put in its place.
    
    Reviewed by:    brooks, kib, markj
    Obtained from:  CheriBSD
    Fixes:          1b1428dcc82b ("Fix a TOCTOU vulnerability in freebsd32_copyin_control().")
    Differential Revision:  https://reviews.freebsd.org/D36554
    
    (cherry picked from commit 7b673a2c73d0577e2c006aeb110295a522b98135)
---
 sys/compat/freebsd32/freebsd32_misc.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c
index 416cb8fe902e..70eece0311f4 100644
--- a/sys/compat/freebsd32/freebsd32_misc.c
+++ b/sys/compat/freebsd32/freebsd32_misc.c
@@ -1525,15 +1525,19 @@ freebsd32_copyin_control(struct mbuf **mp, caddr_t buf, u_int buflen)
 			break;
 		}
 		cm = (struct cmsghdr *)in1;
-		if (cm->cmsg_len < FREEBSD32_ALIGN(sizeof(*cm))) {
+		if (cm->cmsg_len < FREEBSD32_ALIGN(sizeof(*cm)) ||
+		    cm->cmsg_len > buflen) {
 			error = EINVAL;
 			break;
 		}
 		msglen = FREEBSD32_ALIGN(cm->cmsg_len);
-		if (msglen > buflen || msglen < cm->cmsg_len) {
+		if (msglen < cm->cmsg_len) {
 			error = EINVAL;
 			break;
 		}
+		/* The native ABI permits the final padding to be omitted. */
+		if (msglen > buflen)
+			msglen = buflen;
 		buflen -= msglen;
 
 		in1 = (char *)in1 + msglen;