From patchwork Wed Dec 15 13:46:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabian Vogt X-Patchwork-Id: 48937 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 51530385840E for ; Wed, 15 Dec 2021 13:47:34 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 51530385840E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1639576054; bh=5T6y35cLIRq0E5aueHcZfP9qpfSeSv8yBLXxc7JOIaM=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=XEyHnoOK+CgQ5gN0Yzx6NjdvgRkPt9vmbxeBH0/2IZ3RS5jSoaPevpYvsakvtaigx TB1S0ZzEw75YVpnax+ywpDxxXFiBQv7Q5T6gtrK4Nm2GsvKzryuhHsxXNmb8JNJBfW MqKmbn12yj2+QeIdh4a/JXD5ES6Evd3cdsgIXXms= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by sourceware.org (Postfix) with ESMTPS id 41E3C3858D39 for ; Wed, 15 Dec 2021 13:46:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 41E3C3858D39 Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 54FFF21100; Wed, 15 Dec 2021 13:46:45 +0000 (UTC) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 23F5113B37; Wed, 15 Dec 2021 13:46:45 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id Nxo7BsXxuWFQVQAAMHmgww (envelope-from ); Wed, 15 Dec 2021 13:46:45 +0000 To: libc-alpha@sourceware.org Subject: [PATCH] convert_scm_timestamps: Initialize buffer for CMSG_NXTHDR Date: Wed, 15 Dec 2021 14:46:44 +0100 Message-ID: <7960950.1uK8C5oMiK@linux-e202.suse.de> MIME-Version: 1.0 X-Spam-Status: No, score=-13.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fabian Vogt via Libc-alpha From: Fabian Vogt Reply-To: Fabian Vogt Cc: Florian Weimer Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" The space past the msg_control buffer returned by the kernel needs to be zero-initialized before CMSG_NXTHDR can be used. Currently this is not done, and CMSG_NXTHDR reads the size of the uninitialized "future" cmsghdr inside. Signed-off-by: Fabian Vogt --- Moin, In openSUSE we also hit the issue that recvmsg returns invalid cmsg buffers, manifesting itself as random segfaults in calls to "ping 127.0.0.1 -c2", done by the testsuite of python-EasyProcess. I only found the relevant glibc tickets after debugging myself, however that has the benefit that I can confirm and add to the existing findings. The biggest issue is the missing update of the "last" pointer in the case of a non-SOL_SOCKET message, which is addressed properly by [PATCH v3 2/2] linux: Fix ancillary 64-bit time timestamp conversion (BZ #28349, BZ #28350) However, I also found another bug, which this patch addresses. Feel free to incorporate it into the existing patch series or add it on top. Adding a reliable testcase for this (if it's worth the effort at all) is not trivial, ideally calling __convert_scm_timestamps with a manually crafted cmsghdr past the old msg_controllen can be done. Otherwise the needed offset for the crafted garbage depends on what recvmsg returns. Filling the buffer with e.g. 0xFF or 0x01 (cmsg_len=0xFFFFFFFF or 0x01010101) causes the calculation in CMSG_NXTHDR to overflow and so it thinks it fits into the buffer still, so it requires more specific garbage to cause CMSG_NXTHDR to fail. With both fixes applied, ping works reliably here and valgrind also stopped complaining. Cheers, Fabian diff --git a/sysdeps/unix/sysv/linux/convert_scm_timestamps.c b/sysdeps/unix/sysv/linux/convert_scm_timestamps.c index 00c934c413..d0429b8353 100644 --- a/sysdeps/unix/sysv/linux/convert_scm_timestamps.c +++ b/sysdeps/unix/sysv/linux/convert_scm_timestamps.c @@ -88,6 +88,8 @@ __convert_scm_timestamps (struct msghdr *msg, socklen_t msgsize) return; } + /* Zero memory for the new cmsghdr, required by CMSG_NXTHDR */ + memset ((char *) (msg->msg_control) + msg->msg_controllen, 0, CMSG_SPACE (sizeof tvts)); msg->msg_controllen += CMSG_SPACE (sizeof tvts); cmsg = CMSG_NXTHDR(msg, last); if (cmsg == NULL)