Date: Mon, 30 Jan 2023 20:07:15 GMT From: Brooks Davis <brooks@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 31068ff99c43 - stable/13 - freebsd32: Make sendmsg match native ABI for unpadded final control message Message-ID: <202301302007.30UK7FKr074206@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by brooks: URL: https://cgit.FreeBSD.org/src/commit/?id=31068ff99c4354cc75fd96786da78931dc1012fd commit 31068ff99c4354cc75fd96786da78931dc1012fd Author: Jessica Clarke <jrtc27@FreeBSD.org> AuthorDate: 2022-09-15 16:16:22 +0000 Commit: Brooks Davis <brooks@FreeBSD.org> CommitDate: 2023-01-30 19:35:53 +0000 freebsd32: Make sendmsg match native ABI for unpadded final control message The API says that CMSG_SPACE should be used for msg_controllen, but in practice the native ABI allows you to only use CMSG_LEN for the final (typically only) control message, and real-world software does this, including Wayland. For freebsd32, this is in practice mostly harmless, since control messages are generally used to carry file descriptors, which are already 4 bytes in size and thus no padding is needed, but they can carry other quantities that may not result in an aligned length. This was discovered after CheriBSD's freebsd64 equivalent was updated to match the freebsd32 implementation, as that uses 8 byte alignment which does break the file descriptor use case, and thus Wayland. This used to be addressed by aligning buflen before the first iteration, but that allowed unwanted invalid inputs and was lost in 1b1428dcc82b, with no safer equivalent put in its place. Reviewed by: brooks, kib, markj Obtained from: CheriBSD Fixes: 1b1428dcc82b ("Fix a TOCTOU vulnerability in freebsd32_copyin_control().") Differential Revision: https://reviews.freebsd.org/D36554 (cherry picked from commit 7b673a2c73d0577e2c006aeb110295a522b98135) --- sys/compat/freebsd32/freebsd32_misc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index 416cb8fe902e..70eece0311f4 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -1525,15 +1525,19 @@ freebsd32_copyin_control(struct mbuf **mp, caddr_t buf, u_int buflen) break; } cm = (struct cmsghdr *)in1; - if (cm->cmsg_len < FREEBSD32_ALIGN(sizeof(*cm))) { + if (cm->cmsg_len < FREEBSD32_ALIGN(sizeof(*cm)) || + cm->cmsg_len > buflen) { error = EINVAL; break; } msglen = FREEBSD32_ALIGN(cm->cmsg_len); - if (msglen > buflen || msglen < cm->cmsg_len) { + if (msglen < cm->cmsg_len) { error = EINVAL; break; } + /* The native ABI permits the final padding to be omitted. */ + if (msglen > buflen) + msglen = buflen; buflen -= msglen; in1 = (char *)in1 + msglen;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202301302007.30UK7FKr074206>