[PATCH] net: Fix access beyond tracee buffer for MSG_TRUNC receives

Dmitry V. Levin ldv at altlinux.org
Sun Aug 4 11:56:06 UTC 2019 

On Fri, Aug 02, 2019 at 11:01:29AM +0800, Jeremy Kerr wrote:
> The recv(), recvfrom() and recvmsg() calls allow a MSG_TRUNC flag, which
> indicates that the kernel should return the available size of an
> incoming message, rather than the received size.
> 
> When strace-ing a truncated recv(), strace will try to access a
> return-value size area of the tracee's buffer, which may be larger than
> the actual buffer:
> 
>   $ obj/strace -e trace=recvfrom ~/tmp/recv-test
>   recvfrom(3, "\1\2\3\4\0\0\0\0", 4, MSG_TRUNC, NULL, NULL) = 8
> 
> If I add a non-readable guard page after the tracee's recv buffer, we
> see strace failing to read the vm area:
> 
>   $ obj/strace -e trace=recvfrom ~/tmp/recv-test+guard
>   recvfrom(3, obj/strace: umoven: short read (4 < 8) @0x7f0b0d7ddffc
>   0x7f0b0d7ddffc, 4, MSG_TRUNC, NULL, NULL) = 8
> 
> This change restricts the maximum read size to the size of the tracee's
> actual buffer.
> 
> The recvmsg() handler will do the right thing by using the .iov_len
> data, so no change is required there.
> 
> * net.c (recv, recvfrom): clamp maximum sockbuf size
> ---
>  net.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net.c b/net.c
> index 1cece9af..c9a70cbf 100644
> --- a/net.c
> +++ b/net.c
> @@ -291,7 +291,7 @@ SYS_FUNC(recv)
>  			printaddr(tcp->u_arg[1]);
>  		} else {
>  			decode_sockbuf(tcp, tcp->u_arg[0], tcp->u_arg[1],
> -				     tcp->u_rval);
> +				     MIN(tcp->u_rval, tcp->u_arg[2]));
>  		}
>  
>  		tprintf(", %" PRI_klu ", ", tcp->u_arg[2]);
> @@ -316,7 +316,7 @@ SYS_FUNC(recvfrom)
>  			printaddr(tcp->u_arg[1]);
>  		} else {
>  			decode_sockbuf(tcp, tcp->u_arg[0], tcp->u_arg[1],
> -				     tcp->u_rval);
> +				     MIN(tcp->u_rval, tcp->u_arg[2]));
>  		}
>  		/* size */
>  		tprintf(", %" PRI_klu ", ", tcp->u_arg[2]);

Applied with a minor correction (tcp->u_rval needs a cast to avoid
compilation warnings), thanks!

I've also added some tests for this case.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190804/bffcf3f9/attachment.bin>

More information about the Strace-devel mailing list