From nobody@FreeBSD.org  Tue Sep 15 21:13:25 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7152A1065676
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 15 Sep 2009 21:13:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5EEB38FC1E
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 15 Sep 2009 21:13:25 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n8FLDO7s050920
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 15 Sep 2009 21:13:24 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n8FLDOuw050919;
	Tue, 15 Sep 2009 21:13:24 GMT
	(envelope-from nobody)
Message-Id: <200909152113.n8FLDOuw050919@www.freebsd.org>
Date: Tue, 15 Sep 2009 21:13:24 GMT
From: Alexander Best <alexbestms@math.uni-muenster.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [linux] linux_socketcall() causing buffer overflow
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         138860
>Category:       kern
>Synopsis:       [linux] [patch] linux_socketcall() causing buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 15 21:20:08 UTC 2009
>Closed-Date:    Tue Feb 23 00:42:37 UTC 2010
>Last-Modified:  Tue Feb 23 00:50:02 UTC 2010
>Originator:     Alexander Best
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD otaku 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r197043: Sat Sep 12 01:07:56 CEST 2009     root@otaku:/usr/obj/usr/src/sys/ARUNDEL  i386
>Description:
the linux test project (ltp) is a set of small scripts and binaries to test if an environment meets all the criteria necessary to be 100% compatible with linux.

running the ltp scripts revealed a buffer overflow caused by linux_socketcall() which emulates linux socketcall() syscall. the buffer overflow gets reported multiple times during a full ltp run, because several tests use the linux socketcall() syscall and thus linux_socketcall(). one of the tests causing the buffer overflow is testcases/kernel/syscalls/bind/bind01. i've attached the source for bind01.

here's the overflow report by REDZONE which gets reported when the `bind01` binary is being run:

REDZONE: Buffer overflow detected. 9 bytes corrupted after 0xca667283 (3 bytes allocated).
Allocation backtrace:
#0 0xc070cc5a at redzone_setup+0x3a
#1 0xc05b9cf3 at malloc+0x1c3
#2 0xc0af993c at linux_getsockaddr+0x3c
#3 0xc0afa51e at linux_socketcall+0x73e
#4 0xc0760ea6 at syscall+0x2a6
#5 0xc0744800 at Xint0x80_syscall+0x20
Free backtrace:
#0 0xc070cbea at redzone_check+0x17a
#1 0xc05b99ad at free+0x5d
#2 0xc0afa556 at linux_socketcall+0x776
#3 0xc0760ea6 at syscall+0x2a6
#4 0xc0744800 at Xint0x80_syscall+0x20

i've marked this PR as high priority because the buffer overflow could pose a security threat and be used to execute harmful code.

cheers.
alex

[1] http://lists.freebsd.org/pipermail/freebsd-emulation/2009-September/006877.html
>How-To-Repeat:
cd /usr/ports/emulators/linux_dist-gentoo-stage3 && make install
cd /usr/local/gentoo-stage3
cvs -d:pserver:anonymous@ltp.cvs.sourceforge.net:/cvsroot/ltp login
cvs -z3 -d:pserver:anonymous@ltp.cvs.sourceforge.net:/cvsroot/ltp co ltp
chroot /usr/local/gentoo-stage3 bash
cd ltp && ./configure && make all install
cd testcases/kernel/syscalls/bind
./bind01
>Fix:
problem probably lies in /usr/src/sys/compat/linux/linux_socket.c

Patch attached with submission follows:

/*
 *
 *   Copyright (c) International Business Machines  Corp., 2001
 *
 *   This program is free software;  you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY;  without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program;  if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

/*
 * Test Name: bind01
 *
 * Test Description:
 *  Verify that bind() returns the proper errno for various failure cases
 *
 * Usage:  <for command-line>
 *  bind01 [-c n] [-e] [-i n] [-I x] [-P x] [-t]
 *     where,  -c n : Run n copies concurrently.
 *             -e   : Turn on errno logging.
 *	       -i n : Execute test n times.
 *	       -I x : Execute test for x seconds.
 *	       -P x : Pause for x seconds between iterations.
 *	       -t   : Turn on syscall timing.
 *
 * HISTORY
 *	07/2001 Ported by Wayne Boyer
 *
 * RESTRICTIONS:
 *  None.
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>

#include <netinet/in.h>

#include "test.h"
#include "usctest.h"

char *TCID = "bind01";		/* Test program identifier.    */
int testno;

int s;				/* socket descriptor */
struct sockaddr_in sin1, sin2, sin3;
struct sockaddr_un sun1;

void setup(void), setup0(void), setup1(void), setup2(void),
cleanup(void), cleanup0(void), cleanup1(void);

struct test_case_t {		/* test case structure */
	int domain;		/* PF_INET, PF_UNIX, ... */
	int type;		/* SOCK_STREAM, SOCK_DGRAM ... */
	int proto;		/* protocol number (usually 0 = default) */
	struct sockaddr *sockaddr;	/* socket address buffer */
	int salen;		/* bind's 3rd argument */
	int retval;		/* syscall return value */
	int experrno;		/* expected errno */
	void (*setup) (void);
	void (*cleanup) (void);
	char *desc;
} tdat[] = {
#ifndef UCLINUX
/* Skip since uClinux does not implement memory protection */
	{
	PF_INET, SOCK_STREAM, 0, (struct sockaddr *)-1,
		    sizeof(struct sockaddr_in), -1, EFAULT, setup0,
		    cleanup0, "invalid sockaddr"},
#endif
	{
	PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin1,
		    3, -1, EINVAL, setup0, cleanup0, "invalid salen"}, {
	0, 0, 0, (struct sockaddr *)&sin1,
		    sizeof(sin1), -1, ENOTSOCK, setup1, cleanup1,
		    "invalid socket"}
	, {
	PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin2,
		    sizeof(sin2), 0, 0, setup0, cleanup0, "INADDR_ANYPORT"}
	, {
	PF_UNIX, SOCK_STREAM, 0, (struct sockaddr *)&sun1,
		    sizeof(sun1), -1, EADDRINUSE, setup0, cleanup0,
		    "UNIX-domain of current directory"}
	, {
	PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin3,
		    sizeof(sin3), -1, EADDRNOTAVAIL, setup0, cleanup0,
		    "non-local address"}
,};

int TST_TOTAL = sizeof(tdat) / sizeof(tdat[0]);	/* Total number of test cases. */

int exp_enos[] = { EFAULT, EINVAL, ENOTSOCK, EADDRINUSE, EADDRNOTAVAIL, 0 };

extern int Tst_count;

int main(int argc, char *argv[])
{
	int lc;			/* loop counter */
	char *msg;		/* message returned from parse_opts */

	/* Parse standard options given to run the test. */
	msg = parse_opts(argc, argv, (option_t *) NULL, NULL);
	if (msg != (char *)NULL) {
		tst_brkm(TBROK, 0, "OPTION PARSING ERROR - %s", msg);
		tst_exit();
	}

	setup();

	/* Check looping state if -i option given */
	for (lc = 0; TEST_LOOPING(lc); ++lc) {
		Tst_count = 0;

		for (testno = 0; testno < TST_TOTAL; ++testno) {
			tdat[testno].setup();

			TEST(bind
			     (s, tdat[testno].sockaddr, tdat[testno].salen));
			if (TEST_RETURN > 0) {
				TEST_RETURN = 0;
			} else {
				TEST_ERROR_LOG(TEST_ERRNO);
			}
			if (TEST_RETURN != tdat[testno].retval ||
			    (TEST_RETURN < 0 &&
			     TEST_ERRNO != tdat[testno].experrno)) {
				tst_resm(TFAIL, "%s ; returned"
					 " %ld (expected %d), errno %d (expected"
					 " %d)", tdat[testno].desc,
					 TEST_RETURN, tdat[testno].retval,
					 TEST_ERRNO, tdat[testno].experrno);
			} else {
				tst_resm(TPASS, "%s successful",
					 tdat[testno].desc);
			}
			tdat[testno].cleanup();
		}
	}
	cleanup();

	return 0;
}				/* End main */

void setup(void)
{
	/* set expected errnos for -e option */
	TEST_EXP_ENOS(exp_enos);

	TEST_PAUSE;		/* if -p option specified */

	/* initialize sockaddr's */
	sin1.sin_family = AF_INET;
	/* this port must be unused! */
	sin1.sin_port = htons((getpid() % 32768) + 10000);
	sin1.sin_addr.s_addr = INADDR_ANY;

	sin2.sin_family = AF_INET;
	sin2.sin_port = 0;
	sin2.sin_addr.s_addr = INADDR_ANY;

	sin3.sin_family = AF_INET;
	sin3.sin_port = 0;
	/* assumes 10.255.254.253 is not a local interface address! */
	sin3.sin_addr.s_addr = htonl(0x0AFFFEFD);

	sun1.sun_family = AF_UNIX;
	strncpy(sun1.sun_path, ".", sizeof(sun1.sun_path));

}

void cleanup(void)
{
	TEST_CLEANUP;
	tst_exit();
}

void setup0(void)
{
	s = socket(tdat[testno].domain, tdat[testno].type, tdat[testno].proto);
	printf("HIER!!!!\n");
	if (s < 0)
		tst_brkm(TBROK|TERRNO, cleanup, "socket() failed for bind test %d", testno);
}

void cleanup0(void)
{
	(void)close(s);
}

void setup1(void)
{
	/* setup for the "not a socket" case */
	if ((s = open("/dev/null", O_WRONLY)) == -1)
		tst_brkm(TBROK|TERRNO, cleanup, "open(/dev/null) failed");

}

void cleanup1(void)
{
	s = -1;
}


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-emulation 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Sat Oct 31 14:43:42 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138860 

From: Mateusz Guzik <mjguzik@gmail.com>
To: bug-followup@FreeBSD.org, alexbestms@math.uni-muenster.de
Cc:  
Subject: Re: kern/138860: [linux] linux_socketcall() causing buffer overflow
Date: Fri, 22 Jan 2010 19:30:25 +0000

 Hi,
 
 It looks like the problem is caused by this:
 
 sys/compat/linux/linux_socket.c : do_sa_get() contains the following code:
 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
 [..]
 	alloclen = *osalen;
 [..]
 	kosa = malloc(alloclen, mtype, M_WAITOK); // [1]
 
 	if ((error = copyin(osa, kosa, *osalen)))
 		goto out;
 
 	bdom = linux_to_bsd_domain(kosa->sa_family);
 [..]
 	if (bdom == AF_INET)
 		alloclen = sizeof(struct sockaddr_in); // [2]
 
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen; // [3]
 
 	*sap = sa;
 	*osalen = alloclen;
 [..]
 --------
 
 *osalen bytes is allocated in [1]. In [2] we override the old value of alloclen
 and use it in assignment ([3]).
 
 So if *osalen is lower than sizeof(struct sockaddr_in), we return struct that is
 too small and contains faked length.
 
 This defeats checks placed in sys/netinet/in_pcb.c : in_pcbbind_setup() and
 leads to overflow by this (line 348 as of r202295):
 [..]
 bzero(&sin->sin_zero, sizeof(sin->sin_zero));
 [..]
 
 --------
 
 Proposed patch:
 
 http://student.agh.edu.pl/~mjguzik/linux_socket.patch
 
 Note: patch also changes return value from EINVAL to EAFNOSUPPORT in case of
 linux_to_bsd_domain's failure to match behaviour of other callers.
 
 Briefly tested with wget, Quake 3 and firefox.
 
 --
 Mateusz Guzik

From: Alexander Best <alexbestms@wwu.de>
To: <bug-followup@FreeBSD.org>
Cc: Mateusz Guzik <mjguzik@gmail.com>
Subject: Re: kern/138860: [linux] linux_socketcall() causing buffer overflow
Date: Tue, 09 Feb 2010 14:36:38 +0100 (CET)

 thanks a lot. :)
 
 i've tested the patch and running the test case i mentioned in the pr no
 longer causes a buffer overflow warning being reported by REDZONE.
 
 somebody please commit this patch.
 
 cheers.
 alex
State-Changed-From-To: open->analyzed 
State-Changed-By: linimon 
State-Changed-When: Tue Feb 9 21:40:22 UTC 2010 
State-Changed-Why:  
Submitter says the proposed patch fixed the problem for him. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138860 
Responsible-Changed-From-To: freebsd-emulation->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Tue Feb 9 22:13:45 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138860 
State-Changed-From-To: analyzed->patched 
State-Changed-By: delphij 
State-Changed-When: Tue Feb 9 22:30:54 UTC 2010 
State-Changed-Why:  
Patch applied against -HEAD, MFC reminder. 

Thanks for reporting the problem and thanks Mateusz Guzik for working 
on the fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138860 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/138860: commit references a PR
Date: Tue,  9 Feb 2010 22:31:05 +0000 (UTC)

 Author: delphij
 Date: Tue Feb  9 22:30:51 2010
 New Revision: 203728
 URL: http://svn.freebsd.org/changeset/base/203728
 
 Log:
    - Return EAFNOSUPPORT instead of EINVAL for unsupported address family,
      this matches the Linux behavior.
    - Check if we have sufficient space allocated for socket structure, which
      fixes a buffer overflow when wrong length is being passed into the
      emulation layer. [1]
   
   PR:		kern/138860
   Submitted by:	Mateusz Guzik <mjguzik gmail com>
   Reported by:	Alexander Best [1]
   MFC after:	2 weeks
 
 Modified:
   head/sys/compat/linux/linux_socket.c
 
 Modified: head/sys/compat/linux/linux_socket.c
 ==============================================================================
 --- head/sys/compat/linux/linux_socket.c	Tue Feb  9 22:15:59 2010	(r203727)
 +++ head/sys/compat/linux/linux_socket.c	Tue Feb  9 22:30:51 2010	(r203728)
 @@ -128,7 +128,7 @@ do_sa_get(struct sockaddr **sap, const s
  
  	bdom = linux_to_bsd_domain(kosa->sa_family);
  	if (bdom == -1) {
 -		error = EINVAL;
 +		error = EAFNOSUPPORT;
  		goto out;
  	}
  
 @@ -157,8 +157,13 @@ do_sa_get(struct sockaddr **sap, const s
  		}
  	} else
  #endif
 -	if (bdom == AF_INET)
 +	if (bdom == AF_INET) {
  		alloclen = sizeof(struct sockaddr_in);
 +		if (*osalen < alloclen) {
 +			error = EINVAL;
 +			goto out;
 +		}
 +	}
  
  	sa = (struct sockaddr *) kosa;
  	sa->sa_family = bdom;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Tue Feb 23 00:41:44 UTC 2010 
State-Changed-Why:  
Patch applied against 8- and 7-STABLE, thanks for reporting and working on patches! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138860 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/138860: commit references a PR
Date: Tue, 23 Feb 2010 00:40:16 +0000 (UTC)

 Author: delphij
 Date: Tue Feb 23 00:40:02 2010
 New Revision: 204232
 URL: http://svn.freebsd.org/changeset/base/204232
 
 Log:
   MFC r203728:
   
    - Return EAFNOSUPPORT instead of EINVAL for unsupported address family,
      this matches the Linux behavior.
    - Check if we have sufficient space allocated for socket structure, which
      fixes a buffer overflow when wrong length is being passed into the
      emulation layer. [1]
   
   PR:		kern/138860
   Submitted by:	Mateusz Guzik <mjguzik gmail com>
   Reported by:	Alexander Best [1]
 
 Modified:
   stable/8/sys/compat/linux/linux_socket.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
   stable/8/sys/netinet/   (props changed)
 
 Modified: stable/8/sys/compat/linux/linux_socket.c
 ==============================================================================
 --- stable/8/sys/compat/linux/linux_socket.c	Tue Feb 23 00:34:20 2010	(r204231)
 +++ stable/8/sys/compat/linux/linux_socket.c	Tue Feb 23 00:40:02 2010	(r204232)
 @@ -128,7 +128,7 @@ do_sa_get(struct sockaddr **sap, const s
  
  	bdom = linux_to_bsd_domain(kosa->sa_family);
  	if (bdom == -1) {
 -		error = EINVAL;
 +		error = EAFNOSUPPORT;
  		goto out;
  	}
  
 @@ -157,8 +157,13 @@ do_sa_get(struct sockaddr **sap, const s
  		}
  	} else
  #endif
 -	if (bdom == AF_INET)
 +	if (bdom == AF_INET) {
  		alloclen = sizeof(struct sockaddr_in);
 +		if (*osalen < alloclen) {
 +			error = EINVAL;
 +			goto out;
 +		}
 +	}
  
  	sa = (struct sockaddr *) kosa;
  	sa->sa_family = bdom;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/138860: commit references a PR
Date: Tue, 23 Feb 2010 00:41:48 +0000 (UTC)

 Author: delphij
 Date: Tue Feb 23 00:41:40 2010
 New Revision: 204233
 URL: http://svn.freebsd.org/changeset/base/204233
 
 Log:
   MFC r203728:
   
    - Return EAFNOSUPPORT instead of EINVAL for unsupported address family,
      this matches the Linux behavior.
    - Check if we have sufficient space allocated for socket structure, which
      fixes a buffer overflow when wrong length is being passed into the
      emulation layer. [1]
   
   PR:		kern/138860
   Submitted by:	Mateusz Guzik <mjguzik gmail com>
   Reported by:	Alexander Best [1]
 
 Modified:
   stable/7/sys/compat/linux/linux_socket.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/compat/linux/linux_socket.c
 ==============================================================================
 --- stable/7/sys/compat/linux/linux_socket.c	Tue Feb 23 00:40:02 2010	(r204232)
 +++ stable/7/sys/compat/linux/linux_socket.c	Tue Feb 23 00:41:40 2010	(r204233)
 @@ -126,7 +126,7 @@ do_sa_get(struct sockaddr **sap, const s
  
  	bdom = linux_to_bsd_domain(kosa->sa_family);
  	if (bdom == -1) {
 -		error = EINVAL;
 +		error = EAFNOSUPPORT;
  		goto out;
  	}
  
 @@ -155,8 +155,13 @@ do_sa_get(struct sockaddr **sap, const s
  		}
  	} else
  #endif
 -	if (bdom == AF_INET)
 +	if (bdom == AF_INET) {
  		alloclen = sizeof(struct sockaddr_in);
 +		if (*osalen < alloclen) {
 +			error = EINVAL;
 +			goto out;
 +		}
 +	}
  
  	sa = (struct sockaddr *) kosa;
  	sa->sa_family = bdom;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
