ktrace: Fix uninitialized memory disclosure

The sockaddr passed to ktrcapfail() may be smaller than
sizeof(struct sockaddr), and the trailing bytes in the sockaddr
structure will be uninitialized, w

ktrace: Fix uninitialized memory disclosure

The sockaddr passed to ktrcapfail() may be smaller than
sizeof(struct sockaddr), and the trailing bytes in the sockaddr
structure will be uninitialized, whereupon they get copied out to
userspace.

PR: 283673
Reviewed by: jfree, emaste
Reported by: Yichen Chai <yichen.chai@gmail.com>
Reported by: Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
Fixes: 9bec84131215 ("ktrace: Record detailed ECAPMODE violations")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D48499

show more ...

ktrace: log execve(2) arguments and environment

Two new events KTR_ARGS and KTR_ENV can be used to
trace arguments of execve(2).

Reviewed by: glebius
Differential Revision: https://reviews.freebsd

ktrace: log execve(2) arguments and environment

Two new events KTR_ARGS and KTR_ENV can be used to
trace arguments of execve(2).

Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D47127

show more ...

ktrace: Fix an inverted privilege check

Approved by: so
Security: FreeBSD-24:06.ktrace
Security: CVE-2024-6760
Fixes: 1762f674ccb5 ("ktrace: pack all ktrace parameters into allocated structure ktr_i

ktrace: Fix an inverted privilege check

Approved by: so
Security: FreeBSD-24:06.ktrace
Security: CVE-2024-6760
Fixes: 1762f674ccb5 ("ktrace: pack all ktrace parameters into allocated structure ktr_io_params")

show more ...

ktrace: Record detailed ECAPMODE violations

When a Capsicum violation occurs in the kernel, ktrace will now record
detailed information pertaining to the violation.

For example:
- When a namei look

ktrace: Record detailed ECAPMODE violations

When a Capsicum violation occurs in the kernel, ktrace will now record
detailed information pertaining to the violation.

For example:
- When a namei lookup violation occurs, ktrace will record the path.
- When a signal violation occurs, ktrace will record the signal number.
- When a sendto(2) violation occurs, ktrace will record the recipient
sockaddr.

For all violations, the syscall and ABI is recorded.

kdump is also modified to display this new information to the user.

Reviewed by: oshogbo, markj
Approved by: markj (mentor)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D40676

show more ...

ktrace: log genio events on failed write

Visibility into the contents of the buffer when a write(2) has failed
can be immensely useful in debugging IPC issues -- pushing this to
discuss the idea, or

ktrace: log genio events on failed write

Visibility into the contents of the buffer when a write(2) has failed
can be immensely useful in debugging IPC issues -- pushing this to
discuss the idea, or maybe an alternative where we can set a flag like
KTRFAC_ERRIO to enable it.

When a genio event is potentially raised after an error, currently we'll
just free the uio and return. However, such data can be useful when
debugging communication between processes to, e.g., understand what the
remote side should have grabbed before closing a pipe. Tap out the
entire buffer on failure rather than simply discarding it.

Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D43799

show more ...

Abstract UIO allocation and deallocation.

Introduce the allocuio() and freeuio() functions to allocate and
deallocate struct uio. This hides the actual allocator interface, so it
is easier to modify

Abstract UIO allocation and deallocation.

Introduce the allocuio() and freeuio() functions to allocate and
deallocate struct uio. This hides the actual allocator interface, so it
is easier to modify the sub-allocation layout of struct uio and the
corresponding iovec array.

Obtained from: CheriBSD
Reviewed by: kib, markj
MFC after: 2 weeks
Sponsored by: CHaOS, EPSRC grant EP/V000292/1
Differential Revision: https://reviews.freebsd.org/D43711

show more ...

sys: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl s

sys: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

ktrace: Make the data lengths table const

No functional change intended.

MFC after: 1 week

ktrace: change AST handler to require AST flag set

When it was inline it made sense to depend on the existing nested check
in KTRUSERRET() rather than adding a new td_flags flag. However, since
we

ktrace: change AST handler to require AST flag set

When it was inline it made sense to depend on the existing nested check
in KTRUSERRET() rather than adding a new td_flags flag. However, since
we now have a TDA_KTRACE flag anyway, we might as well check it and
avoid the call.

Suggested by: jhb
Reviewed by: markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D35888

show more ...

AST: rework

Make most AST handlers dynamically registered. This allows to have
subsystem-specific handler source located in the subsystem files,
instead of making subr_trap.c aware of it. For inst

AST: rework

Make most AST handlers dynamically registered. This allows to have
subsystem-specific handler source located in the subsystem files,
instead of making subr_trap.c aware of it. For instance, signal
delivery code on return to userspace is now moved to kern_sig.c.

Also, it allows to have some handlers designated as the cleanup (kclear)
type, which are called both at AST and on thread/process exit. For
instance, ast(), exit1(), and NFS server no longer need to be aware
about UFS softdep processing.

The dynamic registration also allows third-party modules to register AST
handlers if needed. There is one caveat with loadable modules: the
code does not make any effort to ensure that the module is not unloaded
before all threads processed through AST handler in it. In fact, this
is already present behavior for hwpmc.ko and ufs.ko. I do not think it
is worth the efforts and the runtime overhead to try to fix it.

Reviewed by: markj
Tested by: emaste (arm64), pho
Discussed with: jhb
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D35888

show more ...

ktrace: Increase precision of timestamps.

Replace struct timeval in header with struct timespec.
To differentiate header formats, add a new KTR_VERSIONED flag
set in the header type field similar to

ktrace: Increase precision of timestamps.

Replace struct timeval in header with struct timespec.
To differentiate header formats, add a new KTR_VERSIONED flag
set in the header type field similar to the existing KTRDROP flag.

To make it easier to extend ktrace headers in the future,
extend the existing header with a version field (version 0 is
reserved for older records without KTR_VERSIONED) as well as
new fields holding the thread ID and CPU ID.

Reviewed by: jhb, pauamma
Differential Revision: https://reviews.freebsd.org/D35774
MFC after: 2 weeks

show more ...

syscallarg_t: Add a type for system call arguments

This more clearly differentiates system call arguments from integer
registers and return values. On current architectures it has no effect,
but on

syscallarg_t: Add a type for system call arguments

This more clearly differentiates system call arguments from integer
registers and return values. On current architectures it has no effect,
but on architectures where pointers are not integers (CHERI) and may
not even share registers (CHERI-MIPS) it is necessiary to differentiate
between system call arguments (syscallarg_t) and integer register values
(register_t).

Obtained from: CheriBSD

Reviewed by: imp, kib
Differential Revision: https://reviews.freebsd.org/D33780

show more ...

vfs: NDFREE(&nd, NDF_ONLY_PNBUF) -> NDFREE_PNBUF(&nd)

Revert "syscallarg_t: Add a type for system call arguments"

Missed issues in truss on at least armv7 and powerpcspe need to be
resolved before recommit.

This reverts commit 3889fb8af0b611e3126dc250

Revert "syscallarg_t: Add a type for system call arguments"

Missed issues in truss on at least armv7 and powerpcspe need to be
resolved before recommit.

This reverts commit 3889fb8af0b611e3126dc250ebffb01805152104.
This reverts commit 1544e0f5d1f1e3b8c10a64cb899a936976ca7ea4.

show more ...

syscallarg_t: Add a type for system call arguments

This more clearly differentiates system call arguments from integer
registers and return values. On current architectures it has no effect,
but on

syscallarg_t: Add a type for system call arguments

This more clearly differentiates system call arguments from integer
registers and return values. On current architectures it has no effect,
but on architectures where pointers are not integers (CHERI) and may
not even share registers (CHERI-MIPS) it is necessiary to differentiate
between system call arguments (syscallarg_t) and integer register values
(register_t).

Obtained from: CheriBSD

Reviewed by: imp, kib
Differential Revision: https://reviews.freebsd.org/D33780

show more ...

vfs: remove the unused thread argument from NDINIT*

See b4a58fbf640409a1 ("vfs: remove cn_thread")

Bump __FreeBSD_version to 1400043.

ktrace: Zero request structures when populating the pool

Otherwise uninitialized pad bytes may be copied into the ktrace log
file.

Reported by: KMSAN
MFC after: 1 week
Sponsored by: The FreeBSD Fou

ktrace: Zero request structures when populating the pool

Otherwise uninitialized pad bytes may be copied into the ktrace log
file.

Reported by: KMSAN
MFC after: 1 week
Sponsored by: The FreeBSD Foundation

show more ...

ktrace: Fix an inverted comparison added in commit f3851b235

Fixes: f3851b235 ("ktrace: Fix a race with fork()")
Reported by: dchagin, phk

ktrace: Fix a race with fork()

ktrace(2) may toggle trace points in any of
1. a single process
2. all members of a process group
3. all descendents of the processes in 1 or 2

In the first two cases

ktrace: Fix a race with fork()

ktrace(2) may toggle trace points in any of
1. a single process
2. all members of a process group
3. all descendents of the processes in 1 or 2

In the first two cases, we do not permit the operation if the process is
being forked or not visible. However, in case 3 we did not enforce this
restriction for descendents. As a result, the assertions about the child
in ktrprocfork() may be violated.

Move these checks into ktrops() so that they are applied consistently.

Allow KTROP_CLEAR for nascent processes. Otherwise, there is a window
where we cannot clear trace points for a nascent child if they are
inherited from the parent.

Reported by: syzbot+d96676592978f137e05c@syzkaller.appspotmail.com
Reported by: syzbot+7c98fcf84a4439f2817f@syzkaller.appspotmail.com
Reviewed by: kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30481

show more ...

ktrace: Handle negative array sizes in ktrstructarray

ktrstructarray() may be used to create copies of kevent(2) change and
event arrays. It is called before parameter validation is done and so
sho

ktrace: Handle negative array sizes in ktrstructarray

ktrstructarray() may be used to create copies of kevent(2) change and
event arrays. It is called before parameter validation is done and so
should check for bogus array lengths before allocating a copy.

Reported by: syzkaller
Reviewed by: kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30479

show more ...

ktrace: Remove vrele() at the end of ktr_writerequest()

As of commit fc369a353 we no longer ref the vnode when writing a record.
Drop the corresponding vrele() call in the error case.

Fixes: fc369a

ktrace: Remove vrele() at the end of ktr_writerequest()

As of commit fc369a353 we no longer ref the vnode when writing a record.
Drop the corresponding vrele() call in the error case.

Fixes: fc369a353 ("ktrace: fix a race between writes and close")
Reported by: syzbot+9b96ea7a5ff8917d3fe4@syzkaller.appspotmail.com
Reported by: syzbot+6120ebbb354cd52e5107@syzkaller.appspotmail.com
Reviewed by: kib
MFC after: 6 days
Differential Revision: https://reviews.freebsd.org/D30404

show more ...

ktrace: fix a race between writes and close

It was possible that termination of ktrace session occured during some
record write, in which case write occured after the close of the vnode.
Use ktr_io_

ktrace: fix a race between writes and close

It was possible that termination of ktrace session occured during some
record write, in which case write occured after the close of the vnode.
Use ktr_io_params refcounting to avoid this situation, by taking the
reference on the structure instead of vnode.

Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D30400

show more ...

ktrace: Avoid recursion in namei()

sys_ktrace() calls namei(), which may call ktrnamei(). But sys_ktrace()
also calls ktrace_enter() first, so if the caller is itself being
traced, the assertion in

ktrace: Avoid recursion in namei()

sys_ktrace() calls namei(), which may call ktrnamei(). But sys_ktrace()
also calls ktrace_enter() first, so if the caller is itself being
traced, the assertion in ktrace_enter() is triggered. And, ktrnamei()
does not check for recursion like most other ktrace ops do.

Fix the bug by simply deferring the ktrace_enter() call.

Also make the parameter to ktrnamei() const and convert to ANSI.

Reported by: syzbot+d0a4de45e58d3c08af4b@syzkaller.appspotmail.com
Reviewed by: kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30340

show more ...

ktrace: add a kern.ktrace.filesize_limit_signal knob

When enabled, writes to ktrace.out that exceed the max file size limit
cause SIGXFSZ as it should be, but note that the limit is taken from
the p

ktrace: add a kern.ktrace.filesize_limit_signal knob

When enabled, writes to ktrace.out that exceed the max file size limit
cause SIGXFSZ as it should be, but note that the limit is taken from
the process that initiated ktrace. When disabled, write is blocked,
but signal is not send.

Note that in either case ktrace for the affected process is stopped.

Requested and reviewed by: markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D30257

show more ...