Pretty obvious why. The kernel doesn't check it's a string, before calling strlcpy which (correctly) runs off the array hunting for the terminal NUL, and into the next object, and I guess it finds a NUL in the next VA page which isn't actually mapped with storage.
With strncpy, this was safe. The input storage wasn't a real string, and the interior storage wasn't a real string either. Then on the output side, this was handled. There two choices to go with: - validate the input is a string before calling strlcpy. - copy the whole region with memcpy, and then manuall NUL-terminate the buffer. The same will apply to other vcp ioctl fields. Greg Steuck <g...@nest.cx> wrote: > > Index: sys/arch/amd64/amd64/vmm.c > > =================================================================== > > RCS file: /mount/openbsd/cvs/src/sys/arch/amd64/amd64/vmm.c,v > > retrieving revision 1.266 > > diff -u -p -r1.266 vmm.c > > --- sys/arch/amd64/amd64/vmm.c 11 Mar 2020 16:38:42 -0000 1.266 > > +++ sys/arch/amd64/amd64/vmm.c 12 Mar 2020 21:15:01 -0000 > > @@ -1167,7 +1167,7 @@ vm_create(struct vm_create_params *vcp, > > memcpy(vm->vm_memranges, vcp->vcp_memranges, > > vm->vm_nmemranges * sizeof(vm->vm_memranges[0])); > > vm->vm_memory_size = memsize; > > - strncpy(vm->vm_name, vcp->vcp_name, VMM_MAX_NAME_LEN); > > + strlcpy(vm->vm_name, vcp->vcp_name, VMM_MAX_NAME_LEN); > > Coincidentally syzkaller managed to trigger a uvm_fault in this line. > https://syzkaller.appspot.com/bug?extid=48e38ebd31c030b5841c > > ddb> trace > strlcpy(ffff80001d374448,ffff800000a2cc20,40) at strlcpy+0xcf > sys/lib/libkern/strlcpy.c:44 > vm_create(ffff800000a2c800,ffff80001d339758) at vm_create+0x112 > sys/arch/amd64/amd64/vmm.c:1172 > VOP_IOCTL(fffffd805d843820,c5005601,ffff800000a2c800,1,fffffd806c3bfc00,ffff80001d339758) > at VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290 > vn_ioctl(fffffd805d877800,c5005601,ffff800000a2c800,ffff80001d339758) at > vn_ioctl+0xb5 sys/kern/vfs_vnops.c:531 > > Unfortunately there's no reproducer > > Thanks > Greg > -- > nest.cx is Gmail hosted, use PGP: > https://pgp.key-server.io/0x0B1542BD8DF5A1B0 > Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
