ktrace: Handle uio_resid underflow via MSG_TRUNC

When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM
or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may
intentionally underflow uio_resid so that userspace can find out how
many bytes it should have asked for.

If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to
copy in beyond the end of the output buffer's iovec.  In general this
will silently cause the ktrace operation to fail since it'll result in
EFAULT from uiomove().  Let's be more careful and make sure not to try
and copy more bytes than we have.

Fixes:		be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for recvfrom()/recvmsg().")
Reported by:	syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com
Reviewed by:	kib
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D42099

(cherry picked from commit 761ae1ce798add862d78728cc5ac5240ce7db779)

1 files changed, 2 insertions, 1 deletions

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 61f6585fa789..ef3ebeb58176 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -962,7 +962,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg,
 		AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa);
 #ifdef KTRACE
 	if (ktruio != NULL) {
-		ktruio->uio_resid = len - auio.uio_resid;
+		/* MSG_TRUNC can trigger underflow of uio_resid. */
+		ktruio->uio_resid = MIN(len - auio.uio_resid, len);
 		ktrgenio(s, UIO_READ, ktruio, error);
 	}
 #endif