From nobody Tue Jan 25 01:40:15 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7DFCD19731A9;
	Tue, 25 Jan 2022 01:40:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JjV0c2WLKz4Zyk;
	Tue, 25 Jan 2022 01:40:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1643074816;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=cTQTE9nifOye0EcTaZQAKxIAF5M6nc6XI74YbWtID7M=;
	b=YuIx232k8MqMZJ4EQy8emTRmBExWPm3ml3pJCfT5Y5uoVsrm1p7yAInlKswD67tfjRFmwQ
	kE3Y8wBjVlDARcHIaJP1V1W2QOWfTk0fpVbzjtcmp8YJPDY5zniQJWYyJfWMgsCw4jG3Ys
	gPN5LI1nzkxCqTmQnSqDDuAiyaXYri0WP1NtehnTsTvhqRk8o8FLinp4OFsrJ+spp5ertF
	o/eMNKBkpEnsxDNvx+2jSBrcwXC9zlctXmrN0fmtXl24DNsmoEapAQDiWgO5daPWwW8duE
	vX3sfT1GrD6j042TgPFjqX1th1oTo6HVls3yb6GtcByLBhmdEJ0DvArv3okEBQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 134E120A30;
	Tue, 25 Jan 2022 01:40:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 20P1eFEW048759;
	Tue, 25 Jan 2022 01:40:15 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 20P1eFNg048753;
	Tue, 25 Jan 2022 01:40:15 GMT
	(envelope-from git)
Date: Tue, 25 Jan 2022 01:40:15 GMT
Message-Id: <202201250140.20P1eFNg048753@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Jessica Clarke <jrtc27@FreeBSD.org>
Subject: git: 3c7f332f716d - stable/13 - Fix buffer overread in preloaded hostuuid parsing
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jrtc27
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 3c7f332f716d67f61012bc01a3446c1ca03c5263
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1643074816;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=cTQTE9nifOye0EcTaZQAKxIAF5M6nc6XI74YbWtID7M=;
	b=X/20tnkX6hPnwNAJrJwBgjO1Qfa4bS8Yu21puxkEmE4NelP/h+ocRPcrDwkeADlhDNbepF
	7/GGCHpGHoX5mp3TFMauaM9Kz3N3PT0TGp9OIN3BgPI+5ce2RNXVhI2+yhx53TyrKecSXC
	jKSz0/JgJnvCHZruYuwDcDeQcvkrurNVsfxGopdY8ulnBABGb5UJLPhb4iYgWqdm7ul+60
	eytAMTBmx18F4VzpzktYFqHhi72iloho39s/UkjGOgkvuQTg972kJM5Y93m2/YEXQQ2Jzz
	gzksVFoAiV6580wB++9OcU6LRESJXqEZi1MkA4CS2NxC+lRI4AE6f8xRG86Mcw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1643074816; a=rsa-sha256; cv=none;
	b=UnVRtqmvZr9ulfQqxfoG6qmwNWMIxBoNQecS8xW0z9wFm3xvYbZM7rPaDXJaIFFvuLPtUL
	1+fHczOHpnabkmxdUK7Jc+Wj7ghaKt/GPbWjrl88HMk4TUQL4UH5GVsEy7zw3bZA1BHyMh
	w3iPtgcCTD7jAwNDSsbBWUh9iDuEBqt3OzllUAxIbi4UTJdIirTkurrJo7xm49peGoNF+t
	pT9s1qLEKADHuWVGkzDjvjPRl581vjjmkB1xjnCotMwPokZklptCSQStmj5tl6j4MM6ICA
	mFM/Q/9Ar9s+XNDRdXykPsxIyMMeX+vIm+6hpDcx9qC21U079VLf67n9jVuhAQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=3c7f332f716d67f61012bc01a3446c1ca03c5263

commit 3c7f332f716d67f61012bc01a3446c1ca03c5263
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2021-12-22 16:47:23 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2022-01-24 23:59:49 +0000

    Fix buffer overread in preloaded hostuuid parsing
    
    Commit b6be9566d236 stopped prison0_init writing outside of the
    preloaded hostuuid's bounds. However, the preloaded data will not
    (normally) have a NUL in it, and so validate_uuid will walk off the end
    of the buffer in its call to sscanf. Previously if there was any
    whitespace in the string we'd at least know there's a NUL one past the
    end due to the off-by-one error, but now no such byte is guaranteed.
    
    Fix this by copying to a temporary buffer and explicitly adding a NUL.
    
    Whilst here, change the strlcpy call to use a far less suspicious
    argument for dstsize; in practice it's fine, but it's an unusual pattern
    and not necessary.
    
    Found by:       CHERI
    Reviewed by:    emaste, kevans, jhb
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D33616
    
    (cherry picked from commit d2ef3774306c54f3999732fd02bdff39c6b4cf2a)
---
 sys/kern/kern_jail.c | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index e9019eda4d6c..a815f423dbad 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -239,6 +239,8 @@ prison0_init(void)
 {
 	uint8_t *file, *data;
 	size_t size;
+	char buf[sizeof(prison0.pr_hostuuid)];
+	bool valid;
 
 	prison0.pr_cpuset = cpuset_ref(thread0.td_cpuset);
 	prison0.pr_osreldate = osreldate;
@@ -258,10 +260,31 @@ prison0_init(void)
 			while (size > 0 && data[size - 1] <= 0x20) {
 				size--;
 			}
-			if (validate_uuid(data, size, NULL, 0) == 0) {
-				(void)strlcpy(prison0.pr_hostuuid, data,
-				    size + 1);
-			} else if (bootverbose) {
+
+			valid = false;
+
+			/*
+			 * Not NUL-terminated when passed from loader, but
+			 * validate_uuid requires that due to using sscanf (as
+			 * does the subsequent strlcpy, since it still reads
+			 * past the given size to return the true length);
+			 * bounce to a temporary buffer to fix.
+			 */
+			if (size >= sizeof(buf))
+				goto done;
+
+			memcpy(buf, data, size);
+			buf[size] = '\0';
+
+			if (validate_uuid(buf, size, NULL, 0) != 0)
+				goto done;
+
+			valid = true;
+			(void)strlcpy(prison0.pr_hostuuid, buf,
+			    sizeof(prison0.pr_hostuuid));
+
+done:
+			if (bootverbose && !valid) {
 				printf("hostuuid: preload data malformed: '%.*s'\n",
 				    (int)size, data);
 			}