`impl GetSockOpt for nix::sys::socket::sockopt::SockType` causes UB with unknown socket type #1819

ahcodedthat · 2022-09-15T19:59:03Z

Description

I noticed that the implementation of GetSockOpt for nix::sys::socket::sockopt::SockType simply assumes that the socket type returned by the kernel is one of those defined in enum nix::sys::socket::SockType without checking. If that assumption is violated, you get undefined behavior.

Linux has at least one such socket type already (SOCK_PACKET), and operating systems are free to add new ones at any time.

Other socket options probably suffer from a similar problem, but I haven't tested that.

Alternative

socket2::Type deals with this problem by being a newtype wrapper around a c_int instead of an enum.

Proof of concept

This works on Linux only.

use nix::sys::socket::{getsockopt, sockopt};
use std::process::ExitCode;

fn main() -> ExitCode {
	let sockfd = unsafe { libc::socket(libc::AF_PACKET, libc::SOCK_PACKET, 0) };

	if sockfd == -1 {
		eprintln!("Error opening socket: {}", nix::Error::last());
		return ExitCode::FAILURE;
	}

	let socktype = match getsockopt(sockfd, sockopt::SockType) {
		Ok(ok) => ok,
		Err(error) => {
			eprintln!("Error getting socket type: {error}");
			return ExitCode::FAILURE
		}
	};

	eprintln!("The socket's type is: {socktype:?}");
	ExitCode::SUCCESS
}

Output:

$ target/debug/nix-ub 
The socket's type is: Segmentation fault

Note that creating a SOCK_PACKET socket is a privileged operation, so the executable needs to be granted that privilege first:

$ cargo build
$ sudo setcap CAP_NET_RAW+eip target/debug/nix-ub

The text was updated successfully, but these errors were encountered:

asomers · 2022-09-15T20:24:42Z

Good catch.

When reading a value into an enum from getsockopt, we must validate it. Failing to do so can lead to UB for example with SOCK_PACKET on Linux. Perform the validation in GetSockOpt::get. Currently SockType is the only type that requires validation. Fixes nix-rust#1819

1821: Fix UB in the SO_TYPE sockopt r=rtzoeller a=asomers When reading a value into an enum from getsockopt, we must validate it. Failing to do so can lead to UB for example with SOCK_PACKET on Linux. Perform the validation in GetSockOpt::get. Currently SockType is the only type that requires validation. Fixes #1819 Co-authored-by: Alan Somers <asomers@gmail.com>

When reading a value into an enum from getsockopt, we must validate it. Failing to do so can lead to UB for example with SOCK_PACKET on Linux. Perform the validation in GetSockOpt::get. Currently SockType is the only type that requires validation. Fixes nix-rust#1819

asomers added the A-bug label Sep 15, 2022

asomers self-assigned this Sep 15, 2022

asomers mentioned this issue Sep 17, 2022

Fix UB in the SO_TYPE sockopt #1821

Merged

bors bot closed this as completed in 8e91b28 Nov 29, 2022

SteveLauC mentioned this issue Aug 11, 2024

chore: allow unreachable pattern in macro getsockopt_impl #2470

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`impl GetSockOpt for nix::sys::socket::sockopt::SockType` causes UB with unknown socket type #1819

`impl GetSockOpt for nix::sys::socket::sockopt::SockType` causes UB with unknown socket type #1819

ahcodedthat commented Sep 15, 2022

asomers commented Sep 15, 2022

impl GetSockOpt for nix::sys::socket::sockopt::SockType causes UB with unknown socket type #1819

impl GetSockOpt for nix::sys::socket::sockopt::SockType causes UB with unknown socket type #1819

Comments

ahcodedthat commented Sep 15, 2022

Description

Alternative

Proof of concept

asomers commented Sep 15, 2022

`impl GetSockOpt for nix::sys::socket::sockopt::SockType` causes UB with unknown socket type #1819

`impl GetSockOpt for nix::sys::socket::sockopt::SockType` causes UB with unknown socket type #1819