[PATCH] net: Fix access beyond tracee buffer for MSG_TRUNC receives

Jeremy Kerr jk at ozlabs.org
Fri Aug 2 03:01:29 UTC 2019


The recv(), recvfrom() and recvmsg() calls allow a MSG_TRUNC flag, which
indicates that the kernel should return the available size of an
incoming message, rather than the received size.

When strace-ing a truncated recv(), strace will try to access a
return-value size area of the tracee's buffer, which may be larger than
the actual buffer:

  $ obj/strace -e trace=recvfrom ~/tmp/recv-test
  recvfrom(3, "\1\2\3\4\0\0\0\0", 4, MSG_TRUNC, NULL, NULL) = 8

If I add a non-readable guard page after the tracee's recv buffer, we
see strace failing to read the vm area:

  $ obj/strace -e trace=recvfrom ~/tmp/recv-test+guard
  recvfrom(3, obj/strace: umoven: short read (4 < 8) @0x7f0b0d7ddffc
  0x7f0b0d7ddffc, 4, MSG_TRUNC, NULL, NULL) = 8

This change restricts the maximum read size to the size of the tracee's
actual buffer.

The recvmsg() handler will do the right thing by using the .iov_len
data, so no change is required there.

* net.c (recv, recvfrom): clamp maximum sockbuf size
---
 net.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net.c b/net.c
index 1cece9af..c9a70cbf 100644
--- a/net.c
+++ b/net.c
@@ -291,7 +291,7 @@ SYS_FUNC(recv)
 			printaddr(tcp->u_arg[1]);
 		} else {
 			decode_sockbuf(tcp, tcp->u_arg[0], tcp->u_arg[1],
-				     tcp->u_rval);
+				     MIN(tcp->u_rval, tcp->u_arg[2]));
 		}
 
 		tprintf(", %" PRI_klu ", ", tcp->u_arg[2]);
@@ -316,7 +316,7 @@ SYS_FUNC(recvfrom)
 			printaddr(tcp->u_arg[1]);
 		} else {
 			decode_sockbuf(tcp, tcp->u_arg[0], tcp->u_arg[1],
-				     tcp->u_rval);
+				     MIN(tcp->u_rval, tcp->u_arg[2]));
 		}
 		/* size */
 		tprintf(", %" PRI_klu ", ", tcp->u_arg[2]);
-- 
2.20.1



More information about the Strace-devel mailing list