Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Oct 2023 13:37:07 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 761ae1ce798a - main - ktrace: Handle uio_resid underflow via MSG_TRUNC
Message-ID:  <202310171337.39HDb76r095780@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=761ae1ce798add862d78728cc5ac5240ce7db779

commit 761ae1ce798add862d78728cc5ac5240ce7db779
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-10-16 20:11:55 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-10-17 13:12:19 +0000

    ktrace: Handle uio_resid underflow via MSG_TRUNC
    
    When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM
    or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may
    intentionally underflow uio_resid so that userspace can find out how
    many bytes it should have asked for.
    
    If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to
    copy in beyond the end of the output buffer's iovec.  In general this
    will silently cause the ktrace operation to fail since it'll result in
    EFAULT from uiomove().  Let's be more careful and make sure not to try
    and copy more bytes than we have.
    
    Fixes:          be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for recvfrom()/recvmsg().")
    Reported by:    syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com
    Reviewed by:    kib
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D42099
---
 sys/kern/uipc_syscalls.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 2dad9d487290..c7c2e6544902 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -948,7 +948,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg,
 		AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa);
 #ifdef KTRACE
 	if (ktruio != NULL) {
-		ktruio->uio_resid = len - auio.uio_resid;
+		/* MSG_TRUNC can trigger underflow of uio_resid. */
+		ktruio->uio_resid = MIN(len - auio.uio_resid, len);
 		ktrgenio(s, UIO_READ, ktruio, error);
 	}
 #endif

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202310171337.39HDb76r095780>