From 1d968f95f3a46519193eefcc3e963e7d219feace Mon Sep 17 00:00:00 2001 From: gibbz00 Date: Fri, 26 Dec 2025 12:30:32 +0100 Subject: [PATCH 1/6] linux, l4re: address soundness issues of `CMSG_NXTHDR` This change makes sure that the header of `next` is within max, returning null if not. This is similar to how `glibc` does it. No checks were previously being done to assert that `next as usize + size_of::() < max`. Wrapping offset calculations could then lead to buffer over-reads in the following `(*next).cmsg_len`. [glibc ref](https://github.com/bminor/glibc/blob/b71d59074b98ad4abd23c136ec9ad4c26e29ee6d/sysdeps/unix/sysv/linux/cmsg_nxthdr.c#L49-L51) --- src/unix/linux_like/linux_l4re_shared.rs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/unix/linux_like/linux_l4re_shared.rs b/src/unix/linux_like/linux_l4re_shared.rs index bd3cfafeb6e72..7fae06c781b41 100644 --- a/src/unix/linux_like/linux_l4re_shared.rs +++ b/src/unix/linux_like/linux_l4re_shared.rs @@ -1493,15 +1493,14 @@ f! { if ((*cmsg).cmsg_len as usize) < size_of::() { return core::ptr::null_mut::(); } - let next = - (cmsg as usize + super::CMSG_ALIGN((*cmsg).cmsg_len as usize)) as *mut crate::cmsghdr; - let max = (*mhdr).msg_control as usize + (*mhdr).msg_controllen as usize; - if (next.wrapping_offset(1)) as usize > max - || next as usize + super::CMSG_ALIGN((*next).cmsg_len as usize) > max - { + + let next_addr = cmsg as usize + super::CMSG_ALIGN((*cmsg).cmsg_len as usize); + let max_addr = (*mhdr).msg_control as usize + (*mhdr).msg_controllen as usize; + + if next_addr + size_of::() > max_addr { core::ptr::null_mut::() } else { - next + next_addr as _ } } From 421a7fb374e00bb0a4b6a111811f8acaff0abdc9 Mon Sep 17 00:00:00 2001 From: gibbz00 Date: Sat, 27 Dec 2025 15:12:18 +0100 Subject: [PATCH 2/6] Remove redundant CMSG_NXTHDR test assertions. Likely written to make assertions in the unsound CMSG_NXTHDR implementations introduced in #1235. CMSG_NXTHDR(mhdr, current_cmsghdr) should not be concerned with the value next_cmsghdr.cmsg_len, which the previous implementation did. --- libc-test/tests/cmsg.rs | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/libc-test/tests/cmsg.rs b/libc-test/tests/cmsg.rs index b9573e1d040af..7ec282adc75f9 100644 --- a/libc-test/tests/cmsg.rs +++ b/libc-test/tests/cmsg.rs @@ -79,21 +79,12 @@ mod t { if cfg!(target_os = "aix") && cmsg_len % std::mem::size_of::() != 0 { continue; } - for next_cmsg_len in 0..32 { - unsafe { - pcmsghdr.cast::().write_bytes(0, CAPACITY); - (*pcmsghdr).cmsg_len = cmsg_len as _; - let libc_next = libc::CMSG_NXTHDR(&mhdr, pcmsghdr); - let next = cmsg_nxthdr(&mhdr, pcmsghdr); - assert_eq!(libc_next, next); - - if !libc_next.is_null() { - (*libc_next).cmsg_len = next_cmsg_len; - let libc_next = libc::CMSG_NXTHDR(&mhdr, pcmsghdr); - let next = cmsg_nxthdr(&mhdr, pcmsghdr); - assert_eq!(libc_next, next); - } - } + unsafe { + pcmsghdr.cast::().write_bytes(0, CAPACITY); + (*pcmsghdr).cmsg_len = cmsg_len as _; + let libc_next = libc::CMSG_NXTHDR(&mhdr, pcmsghdr); + let next = cmsg_nxthdr(&mhdr, pcmsghdr); + assert_eq!(libc_next, next); } } } From 2de67747fe36bc5fb7858598b5e1098f35e12b11 Mon Sep 17 00:00:00 2001 From: gibbz00 Date: Sat, 27 Dec 2025 15:33:01 +0100 Subject: [PATCH 3/6] Properly set `cmsg_len` in `CMSG_NXTHDR` tests. Setting `(*pcmsghdr).cmsg_len = cmsg_len as _;` when cmsg_len ranges from 0 to 64 is invalid as it must always be `>= size_of::()`, rounded up to the nearest alignment boundary. Some implementations (notably glbic) do check that `cmsg_len >= size_of::()` in `CMSG_NXTHDR`, returning null if so. But this is more so an extra precaution that is not mentioned in the POSIX 1003.1-2024. It can therefore not be relied on for tests executed on multiple platforms. The change also removes the ignoring of some testvalues when targeting AIX. --- libc-test/tests/cmsg.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/libc-test/tests/cmsg.rs b/libc-test/tests/cmsg.rs index 7ec282adc75f9..99fa7c1ebc276 100644 --- a/libc-test/tests/cmsg.rs +++ b/libc-test/tests/cmsg.rs @@ -74,14 +74,10 @@ mod t { let pcmsghdr = buffer.0.as_mut_ptr().cast::(); mhdr.msg_control = pcmsghdr.cast::(); mhdr.msg_controllen = (160 - start_ofs) as _; - for cmsg_len in 0..64 { - // Address must be a multiple of 0x4 for testing on AIX. - if cfg!(target_os = "aix") && cmsg_len % std::mem::size_of::() != 0 { - continue; - } + for cmsg_payload_len in 0..64 { unsafe { pcmsghdr.cast::().write_bytes(0, CAPACITY); - (*pcmsghdr).cmsg_len = cmsg_len as _; + (*pcmsghdr).cmsg_len = libc::CMSG_LEN(cmsg_payload_len as _) as _; let libc_next = libc::CMSG_NXTHDR(&mhdr, pcmsghdr); let next = cmsg_nxthdr(&mhdr, pcmsghdr); assert_eq!(libc_next, next); From 44ae998821cecad2aa273e76e3bd7043d139349a Mon Sep 17 00:00:00 2001 From: gibbz00 Date: Sat, 27 Dec 2025 15:38:51 +0100 Subject: [PATCH 4/6] sparc64: remove ignore for `CMSG_NXTHDR` tests --- libc-test/tests/cmsg.rs | 5 ----- 1 file changed, 5 deletions(-) diff --git a/libc-test/tests/cmsg.rs b/libc-test/tests/cmsg.rs index 99fa7c1ebc276..b03e0729601a5 100644 --- a/libc-test/tests/cmsg.rs +++ b/libc-test/tests/cmsg.rs @@ -17,8 +17,6 @@ mod t { extern "C" { pub fn cmsg_firsthdr(msgh: *const msghdr) -> *mut cmsghdr; - // see below - #[cfg(not(target_arch = "sparc64"))] pub fn cmsg_nxthdr(mhdr: *const msghdr, cmsg: *const cmsghdr) -> *mut cmsghdr; pub fn cmsg_space(length: c_uint) -> usize; pub fn cmsg_len(length: c_uint) -> usize; @@ -58,9 +56,6 @@ mod t { } } - // Skip on sparc64 - // https://github.com/rust-lang/libc/issues/1239 - #[cfg(not(target_arch = "sparc64"))] #[test] fn test_cmsg_nxthdr() { // Helps to align the buffer on the stack. From f35f12905297154d92c03123d7d496dc848f8452 Mon Sep 17 00:00:00 2001 From: gibbz00 Date: Sat, 27 Dec 2025 16:19:30 +0100 Subject: [PATCH 5/6] Test msghdr.controllen boundary behaviour for `CMSG_NXTHDR` --- libc-test/tests/cmsg.rs | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/libc-test/tests/cmsg.rs b/libc-test/tests/cmsg.rs index b03e0729601a5..33285f350252d 100644 --- a/libc-test/tests/cmsg.rs +++ b/libc-test/tests/cmsg.rs @@ -64,18 +64,33 @@ mod t { const CAPACITY: usize = 512; let mut buffer = Align8([0_u8; CAPACITY]); + let pcmsghdr = buffer.0.as_mut_ptr().cast::(); + let mut mhdr: msghdr = unsafe { mem::zeroed() }; - for start_ofs in 0..64 { - let pcmsghdr = buffer.0.as_mut_ptr().cast::(); - mhdr.msg_control = pcmsghdr.cast::(); - mhdr.msg_controllen = (160 - start_ofs) as _; + mhdr.msg_control = pcmsghdr.cast::(); + + for trunc in 0..64 { + mhdr.msg_controllen = (160 - trunc) as _; + for cmsg_payload_len in 0..64 { + let mut current_cmsghdr_ptr = pcmsghdr; + assert!(!current_cmsghdr_ptr.is_null()); + + while !current_cmsghdr_ptr.is_null() { + unsafe { + (*current_cmsghdr_ptr).cmsg_len = + libc::CMSG_LEN(cmsg_payload_len as _) as _; + + let libc_next = libc::CMSG_NXTHDR(&mhdr, current_cmsghdr_ptr); + let system_next = cmsg_nxthdr(&mhdr, current_cmsghdr_ptr); + assert_eq!(libc_next, system_next); + + current_cmsghdr_ptr = libc_next; + } + } + unsafe { pcmsghdr.cast::().write_bytes(0, CAPACITY); - (*pcmsghdr).cmsg_len = libc::CMSG_LEN(cmsg_payload_len as _) as _; - let libc_next = libc::CMSG_NXTHDR(&mhdr, pcmsghdr); - let next = cmsg_nxthdr(&mhdr, pcmsghdr); - assert_eq!(libc_next, next); } } } From ba6c66abfc33ee07b32209d5eb2a62cefe3d8aba Mon Sep 17 00:00:00 2001 From: gibbz00 Date: Sat, 27 Dec 2025 16:49:43 +0100 Subject: [PATCH 6/6] Add some context to `CMSG_NXTHDR` test assertions. --- libc-test/tests/cmsg.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libc-test/tests/cmsg.rs b/libc-test/tests/cmsg.rs index 33285f350252d..57dbefb2d2037 100644 --- a/libc-test/tests/cmsg.rs +++ b/libc-test/tests/cmsg.rs @@ -75,6 +75,7 @@ mod t { for cmsg_payload_len in 0..64 { let mut current_cmsghdr_ptr = pcmsghdr; assert!(!current_cmsghdr_ptr.is_null()); + let mut count = 0; while !current_cmsghdr_ptr.is_null() { unsafe { @@ -83,9 +84,14 @@ mod t { let libc_next = libc::CMSG_NXTHDR(&mhdr, current_cmsghdr_ptr); let system_next = cmsg_nxthdr(&mhdr, current_cmsghdr_ptr); - assert_eq!(libc_next, system_next); + assert_eq!( + system_next, libc_next, + "msg_crontrollen: {}, payload_len: {}, count: {}", + mhdr.msg_controllen, cmsg_payload_len, count + ); current_cmsghdr_ptr = libc_next; + count += 1; } }