aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Johnston <markj@FreeBSD.org>2023-10-16 20:11:55 +0000
committerMark Johnston <markj@FreeBSD.org>2023-10-20 16:01:47 +0000
commita861521ac98fbcb3ea3c9d21aa06ce5ec1d06b17 (patch)
tree6d038e6dd34f21e2532a6224034c6830b94df53e
parent7daf9fd3f4eb7936fa5bdf238bd7b466e13c0e3a (diff)
downloadsrc-a861521ac98fbcb3ea3c9d21aa06ce5ec1d06b17.tar.gz
src-a861521ac98fbcb3ea3c9d21aa06ce5ec1d06b17.zip
ktrace: Handle uio_resid underflow via MSG_TRUNC
When recvmsg(2) is used with MSG_TRUNC on an atomic socket type (DGRAM or SEQPACKET), soreceive_generic() and uipc_peek_dgram() may intentionally underflow uio_resid so that userspace can find out how many bytes it should have asked for. If this happens, and KTR_GENIO is enabled, ktrgenio() will attempt to copy in beyond the end of the output buffer's iovec. In general this will silently cause the ktrace operation to fail since it'll result in EFAULT from uiomove(). Let's be more careful and make sure not to try and copy more bytes than we have. Fixes: be1f485d7d6b ("sockets: add MSG_TRUNC flag handling for recvfrom()/recvmsg().") Reported by: syzbot+30b4bb0c0bc0f53ac198@syzkaller.appspotmail.com Reviewed by: kib MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42099 (cherry picked from commit 761ae1ce798add862d78728cc5ac5240ce7db779)
-rw-r--r--sys/kern/uipc_syscalls.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 61f6585fa789..ef3ebeb58176 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -962,7 +962,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg,
AUDIT_ARG_SOCKADDR(td, AT_FDCWD, fromsa);
#ifdef KTRACE
if (ktruio != NULL) {
- ktruio->uio_resid = len - auio.uio_resid;
+ /* MSG_TRUNC can trigger underflow of uio_resid. */
+ ktruio->uio_resid = MIN(len - auio.uio_resid, len);
ktrgenio(s, UIO_READ, ktruio, error);
}
#endif