From nobody Sun Oct 22 15:04:48 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SD1nr5392z4xQxK; Sun, 22 Oct 2023 15:04:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SD1nr4Cp6z4Ly8; Sun, 22 Oct 2023 15:04:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697987088; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=v0/U0zFU9pelTb+lC5sjpit2EHUhvbKeavxoSLNfvOM=; b=EmFn+t0AKXLlfF3NJg63nZIjWZ06PqnVtY5Oz1hhOjHO4+fMStBEz2juQ/wBWKbw9iZ7km 3qm1caNzjAfTKALaF8ARaE/vvuxIUdtNQVlm0kDr/Y9cLHplnTau8sGNkVYSQ1Trk1PQ6F kNUtgWGr5XSAlf+uytu5QdLRLguexjRdq6JyEA/bIuE/VXooEfhp79+lHJNJiAQC9sdyft gVjJaNNKb0YPNWpxdtFXqkywxH4f8OJBTRA9jWiMSlWDI65C1NANR4cwmXerGn7+Wii3pL 5ljFyf0hbYEmTaUSf3fOxs6Bl73BGDacwuAfpMWN+BNmqZbiK/N+clAD8MTLlA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697987088; a=rsa-sha256; cv=none; b=QePwuXb9UDvcJMdQvcChOKSS0tB6AUC69QeNyJp5h9ZkzoEmCM4gf4QV56VssMBZUQ7fAH iK6P8uS8PJ/juuM11JIYw9xU/X5i/7y7DDLnATh7Bc08a7D4FKnbqg3c+LoExLlkfFBTR4 ZinvmgEfRPoWsnaq8fYa94jRseCR1LO53f/8FXR7TGLM/rzv2g28nPlKiyMpjN/6m20hoO VmBQhwm27v7WMvZBeK49Cidh6eVPLN3s4lf/3ISWXsUTwCDDRxgJ1h5w7pp9/9Tu8fD7sI fZnK8we0lT8hja3KNNOFV7/ieJ1q1OSDeiN7FUioc2SOUw5MGmYKUu+pIIg3tQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697987088; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=v0/U0zFU9pelTb+lC5sjpit2EHUhvbKeavxoSLNfvOM=; b=woGoIw/qd/3Bz49Y//SQhnOIWnrMeHXFY50S/XKaNBTiI865Xs7ZrjLO8FzKX7FgIRe0Fh E8u6CJ2XXUt+jeyhUf4jKjnQ6+93KGXQf3XfVGbBn/IC6A8F9CVDELrNv7qhjZH9p1LuiR RlVdxxUt9GS09p5MrZ4NhIvFrnG3EZHPRtFMOti5eOxvZT1c0Wf+BaqQgMnMFMEPN5MRfP WWpB0seGwxprkmXTs3TTHOZY5uEGtuFbmwVruovWNqKjCNv5TVxj4pGM0dQUMszTPsV91C 7q7KGnJQH1KRkcDrc2101K7dPIMJwY7fet0EC6xDL5HqIV9chI0dyvAMpKwHgw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SD1nr377tz11w6; Sun, 22 Oct 2023 15:04:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39MF4mGH033595; Sun, 22 Oct 2023 15:04:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39MF4mr2033592; Sun, 22 Oct 2023 15:04:48 GMT (envelope-from git) Date: Sun, 22 Oct 2023 15:04:48 GMT Message-Id: <202310221504.39MF4mr2033592@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 315dd7f2e12a - releng/14.0 - ktrace: Handle uio_resid underflow via MSG_TRUNC List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: 315dd7f2e12a21e47da75f0ce8c1c5a1611810b8 Auto-Submitted: auto-generated The branch releng/14.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=315dd7f2e12a21e47da75f0ce8c1c5a1611810b8 commit 315dd7f2e12a21e47da75f0ce8c1c5a1611810b8 Author: Mark Johnston AuthorDate: 2023-10-16 20:11:55 +0000 Commit: Mark Johnston CommitDate: 2023-10-22 15:01:31 +0000 ktrace: Handle uio_resid underflow via MSG_TRUNC When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may intentionally underflow uio_resid so that userspace can find out how many bytes it should have asked for. If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to copy in beyond the end of the output buffer's iovec. In general this will silently cause the ktrace operation to fail since it'll result in EFAULT from uiomove(). Let's be more careful and make sure not to try and copy more bytes than we have. Approved by: re (gjb) Fixes: be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for recvfrom()/recvmsg().") Reported by: syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com Reviewed by: kib MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42099 (cherry picked from commit 761ae1ce798add862d78728cc5ac5240ce7db779) (cherry picked from commit eb965d4f0309514893745e6cfae998495e76d941) --- sys/kern/uipc_syscalls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2dad9d487290..c7c2e6544902 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -948,7 +948,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg, AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa); #ifdef KTRACE if (ktruio != NULL) { - ktruio->uio_resid = len - auio.uio_resid; + /* MSG_TRUNC can trigger underflow of uio_resid. */ + ktruio->uio_resid = MIN(len - auio.uio_resid, len); ktrgenio(s, UIO_READ, ktruio, error); } #endif