update

maestro/README.md

@@ -0,0 +1,20 @@
+# syscall-munmap-e7ebdfa-munmap-unwrap
+Integer overflow caused by multiply in `munmap()`
+
+### Reference
+
+
+### Describe the bug
+There is a multiply with overflow problem in kernel/src/syscall/munmap.rs, `munmap()`, Maestro.
+The `div_ceil()` rounds the result towards positive infinity. 
+As a result, when user calls munmap with large `length` (i.e., 0xfffffff0), the following multiplication operation will cause an integer overflow problem.
+
+https://github.com/maestro-os/maestro/blob/e7ebdfacc22040eeb2dcbe3be17e29c2c3192767/kernel/src/syscall/munmap.rs#L45-L46
+
+### To Reproduce
+1. Call system call `munmap` with large `length` (i.e., usize::MAX)
+
+### Environment
+- Maestro version: main e7ebdfa
+- ubuntu:24.04 in Docker 
+- 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz

redox/README.md

@@ -0,0 +1,183 @@
+# syscall-munmap-f3fc45a-round_up_to_page_size-integer_overflow
+Integer overflow in `round_up_to_page_size()`
+
+### Describe the bug
+There is an integer overflow in `round_up_to_page_size()` at src/platform/redox/mod.rs:48 when program calls memory related syscall (i.e., `mmap`, `munmap`, and `mprotect`) with large `len`.
+
+https://gitlab.redox-os.org/redox-os/relibc/-/blob/master/src/platform/redox/mod.rs?ref_type=heads#L47-49
+
+### To Reproduce
+1. Compile a program which calls system call `munmap` with large `len`
+```C
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int main() {
+  void *addr = mmap(NULL, 4096, 0x3, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  munmap(addr, 0xffffffffffffffff);
+
+  return EXIT_SUCCESS;
+}
+```
+2. Run the compiled program
+
+### Logs
+I add `overflow-checks = true` for relibc.
+```log
+user:~# munmap
+RELIBC PANIC: panicked at src/platform/redox/mod.rs:48:6:
+attempt to add with overflow
+```
+
+# syscall-setitimer-7af6dd1-in_exact_chunks-divide_by_zero
+Divide by zero panic in `in_exact_chunks()`
+
+### Describe the bug
+There is an divide by zero panic in `in_exact_chunks()` at src/syscall/usercopy.rs:86:24 when program calls `setitimer` relibc syscall.
+
+https://gitlab.redox-os.org/redox-os/kernel/-/blob/master/src/syscall/usercopy.rs?ref_type=heads#L85-92
+
+### To Reproduce
+1. Compile a program which calls system call `setitimer`
+```C
+#include <signal.h>
+#include <stdio.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+void timer_handler(int signum) {
+  static int count = 0;
+  printf("Timer expired %d times\n", ++count);
+}
+
+int main() {
+  struct itimerval timer;
+  printf("\n\n?\n\n");
+  signal(SIGALRM, timer_handler);
+  printf("\n\n?\n\n");
+  timer.it_value.tv_sec = -1;
+  timer.it_value.tv_usec = 0x7FFFFFFF;
+  timer.it_interval.tv_sec = -1;
+  timer.it_interval.tv_usec = 0x7FFFFFFF;
+
+  printf("\n\n?\n\n");
+  setitimer(ITIMER_REAL, &timer, &timer);
+  printf("\n\n?\n\n");
+
+  return 0;
+}
+```
+The `recipe` is:
+```toml
+[build]
+template = "custom"
+script = """
+"${CXX}" \
+    "${COOKBOOK_RECIPE}/setitimer.c" \
+    -o setitimer \
+    -static
+mkdir -pv "${COOKBOOK_STAGE}/bin"
+cp -v "setitimer" "${COOKBOOK_STAGE}/bin/setitimer"
+"""
+
+```
+2. Run the compiled program
+
+### Environment
+- Official Podman
+- Intel(R) Xeon(R) Gold 6230R CPU @ 2.10GHz
+- Redox kernel version: main 7af6dd1
+
+### Logs
+```log
+user:~# setitimer
+
+
+?
+
+
+
+?
+
+
+
+?
+KERNEL PANIC: panicked at src/syscall/usercopy.rs:86:24:
+attempt to divide by zero
+
+  FP ffff80000c9efc10: PC ffffffff800a6f04
+    FFFFFFFF800A6DC0+0144
+    rust_begin_unwind
+  FP ffff80000c9efd00: PC ffffffff800116cf
+  FP ffff80000c9efd40: PC ffffffff80012fcc
+  FP ffff80000c9efd80: PC ffffffff80087613
+  FP ffff80000c9efd90: PC ffffffff8008b7d5
+    FFFFFFFF8008B7B0+0025
+    kernel::scheme::KernelScheme::kreadoff
+  FP ffff80000c9efdb0: PC ffffffff800949f5
+    FFFFFFFF800945D0+0425
+    kernel::syscall::fs::sys_read
+  FP ffff80000c9efe50: PC ffffffff80062bac
+    FFFFFFFF80062130+0A7C
+    __inner_syscall_instruction
+  FP ffff80000c9eff50: PC ffffffff80062f93
+    FFFFFFFF80062F50+0043
+    kernel::arch::x86_64::interrupt::syscall::syscall_instruction
+  00007ffffffffe20: GUARD PAGE
+CPU #3, CID 0xffffff7f801423a0
+NAME: /usr/bin/setitimer
+SYSCALL: read(4, 0x7FFFFFFFFDC8, 32)
+HALT
+```
+
+# syscall-setsockopt-32fca670-setsockopt-integer_overflow
+Integer overflow in `setsockopt()`
+
+### Describe the bug
+There is an integer overflow error in `setsockopt()` at src/platform/redox/socket.rs:364:26 when program calls `setsockopt` relibc syscall with large `timeval.tv_usec`.
+
+https://gitlab.redox-os.org/redox-os/relibc/-/blob/master/src/platform/redox/socket.rs?ref_type=heads#L362-365
+
+### To Reproduce
+1. Compile a program which calls system call `setsockopt` with large `tv_usec` (i.e., 0x7fffffff)
+```C
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+int main() {
+  int sockfd;
+  struct timeval timeout;
+
+  timeout.tv_sec = 5;
+  timeout.tv_usec = 0x7fffffff;
+
+  sockfd = socket(AF_INET, SOCK_STREAM, 0);
+  setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
+
+  return 0;
+}
+```
+2. Run the compiled program
+
+### Environment
+- Official Podman
+- Intel(R) Xeon(R) Gold 6230R CPU @ 2.10GHz
+- Redox relibc version: main 32fca670
+
+### Logs
+I add `overflow-checks = true` for relibc.
+```log
+user:~# setsockopt
+RELIBC PANIC: panicked at src/platform/redox/socket.rs:364:26:
+attempt to multiply with overflow
+```
+
+# 

ruxos/README.md

@@ -0,0 +1,103 @@
+# syscall-munmap-b1f880b-sys_munmap-unwrap
+Reachable unwrap panic in `sys_munmap()` at legacy.rs
+
+### Reference
+
+
+### Describe the bug
+There is a reachable unwrap panic in `sys_munmap()` caused by aligning large `len` (i.e., 0xffffffffffffffff) of a `munmap` syscall.
+
+https://github.com/syswonder/ruxos/blob/b1f880b603cc1e578af16292f3b8a848766ea285/api/ruxos_posix_api/src/imp/mmap/legacy.rs#L72
+
+### To Reproduce
+1. Compile a program which calls `munmap`: 
+```C
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int main()
+{
+    void *addr = mmap(NULL, 4096, 0x3, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+    munmap(addr, 0xffffffffffffffff);
+
+    return 0;
+}
+```
+With following features:
+```
+alloc 
+irq
+musl
+multitask
+fs
+pipe
+poll
+rtc
+signal
+virtio-9p
+```
+2. Run the compiled program in RuxOS.
+
+### Expected behavior
+
+RuxOS reports panic and is terminated.
+
+### Environment
+- RuxOS version: main b1f880b
+- ubuntu:22.04 in Docker 
+- 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
+
+### Logs
+```log
+[1728388549.205894 0:2 ruxos_posix_api::imp::mmap::legacy:67] sys_munmap <= start: 0xffffff80003fe000, len: 18446744073709551615
+[1728388549.206739 0:2 ruxruntime::lang_items:14] panicked at api/ruxos_posix_api/src/imp/mmap/legacy.rs:72:54:
+called `Result::unwrap()` on an `Err` value: LayoutError
+[1728388549.207796 0:2 ruxhal::platform::x86_pc::misc:16] Shutting down...
+```
+
+# syscall-mmap-b1f880b-sys_mmap-unwrap
+Reachable unwrap panic in `sys_mmap()` at legacy.rs
+
+### To Reproduce
+1. Compile a program which calls `munmap`: 
+```C
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int main()
+{
+    mmap(NULL, 0x7ffffffffffffffe, 0x3, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+    return 0;
+}
+```
+With following features:
+```
+alloc 
+irq
+musl
+multitask
+pipe
+poll
+rtc
+signal
+virtio-9p
+```
+2. Run the compiled program in RuxOS.
+
+### Logs
+```log
+[1728436128.205115 0:2 ruxmusl::x86_64:10] x86 syscall <= syscall_name: MMAP
+[1728436128.205642 0:2 ruxos_posix_api::imp::mmap::legacy:32] sys_mmap <= start: 0x0, len: 9223372036854775806, fd: -1
+[1728436128.206396 0:2 ruxruntime::lang_items:14] panicked at api/ruxos_posix_api/src/imp/mmap/legacy.rs:44:54:
+called `Result::unwrap()` on an `Err` value: LayoutError
+[1728436128.207400 0:2 ruxhal::platform::x86_pc::misc:16] Shutting down...
+```
+
+# 

tcpreplay/README.md

@@ -684,3 +684,56 @@ __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
 #7  0x00007ffff7f4b7c8 in optionProcess () from /lib/x86_64-linux-gnu/libopts.so.25
 #8  0x000055555555899c in main (argc=2, argv=0x7fffffffde88) at tcpprep.c:89
 ```
+
+# poc-tcpreplay-43693c4-dlt_en10mb_merge_layer3-assertion
+The assertion `ctx->decoded_extra_size == sizeof(*extra);` in `dlt_en10mb_merge_layer3()` at `en10mb.c:815` is reachable when the user uses tcpreplay to open a crafted pcap file.
+
+## Test Environment
+Ubuntu 20.04.6, 64bit  
+tcpreplay (master 43693c4)
+
+```
+$ ./bin_normal/bin/tcprewrite --version
+tcprewrite version: 4.4.4 (build git:)
+Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
+Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
+The entire Tcpreplay Suite is licensed under the GPLv3
+Cache file supported: 04
+Not compiled with libdnet.
+Compiled against libpcap: 1.9.1
+64 bit packet counters: enabled
+Verbose printing via tcpdump: enabled
+Fragroute engine: disabled
+```
+
+## How to trigger
+1. Get the Tcpreplay source code and compile it.
+  ```
+  $ ./configure
+  $ make
+  ```
+2. Run Command `$ /tcprewrite --dlt=enet --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66 -o /dev/null -i $POC`  
+   The POC file could be downloaded here:  
+   [POC_file](https://raw.githubusercontent.com/Marsman1996/pocs/master/tcpreplay/poc-tcpreplay-43693c4-dlt_en10mb_merge_layer3-assertion)
+
+## Details
+The `ctx->decoded_extra` is initilized in `dlt_raw_init()`, so the `ctx->decoded_extra_size` is set to `sizeof(raw_extra_t)` (i.e., 262166), while in `dlt_en10mb_merge_layer3()` the size of `extra` is 20.
+As a result, the assertion is triggered.
+
+### GDB report
+```
+(gdb) bt
+#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
+#1  0x00007ffff7d95859 in __GI_abort () at abort.c:79
+#2  0x00007ffff7d95729 in __assert_fail_base (fmt=0x7ffff7f2b588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55555558a7a8 "ctx->decoded_extra_size == sizeof(*extra)", 
+    file=0x55555558a380 "../../../code/src/tcpedit/plugins/dlt_en10mb/en10mb.c", line=815, function=<optimized out>) at assert.c:92
+#3  0x00007ffff7da6fd6 in __GI___assert_fail (assertion=0x55555558a7a8 "ctx->decoded_extra_size == sizeof(*extra)", file=0x55555558a380 "../../../code/src/tcpedit/plugins/dlt_en10mb/en10mb.c", 
+    line=815, function=0x55555558aae0 <__PRETTY_FUNCTION__.7520> "dlt_en10mb_merge_layer3") at assert.c:101
+#4  0x00005555555664a3 in dlt_en10mb_merge_layer3 (ctx=0x55555559f830, packet=0x7ffff7cee010 "", pktlen=640, ipv4_data=0x7ffff7cee01e "OOOOOOlOOO\354\355OeOOOOI", 'O' <repeats 78 times>, 
+    ipv6_data=0x0) at ../../../code/src/tcpedit/plugins/dlt_en10mb/en10mb.c:815
+#5  0x0000555555563763 in tcpedit_dlt_merge_l3data (ctx=0x55555559f830, dlt=1, packet=0x7ffff7cee010 "", pktlen=640, 
+    ipv4_data=0x7ffff7cee01e "OOOOOOlOOO\354\355OeOOOOI", 'O' <repeats 78 times>, ipv6_data=0x0) at ../../../code/src/tcpedit/plugins/dlt_plugins.c:393
+#6  0x000055555555c52a in tcpedit_packet (tcpedit=0x55555559ef80, pkthdr=0x7fffffffda90, pktdata=0x55555559bef0 <pktdata_buff>, direction=TCPR_DIR_C2S) at ../../../code/src/tcpedit/tcpedit.c:345
+#7  0x000055555555b7a3 in rewrite_packets (tcpedit_ctx=0x55555559ef80, pin=0x55555559e4d0, pout=0x5555555a0470) at ../../code/src/tcprewrite.c:293
+#8  0x000055555555b366 in main (argc=0, argv=0x7fffffffdc38) at ../../code/src/tcprewrite.c:137
+```