Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/kern Fix bohr bug triggered only once by syzkaller 2,5 m...
details: https://anonhg.NetBSD.org/src/rev/edba0b26d43e
branches: trunk
changeset: 1010809:edba0b26d43e
user: maxv <maxv%NetBSD.org@localhost>
date: Sun Jun 07 15:19:05 2020 +0000
description:
Fix bohr bug triggered only once by syzkaller 2,5 months ago.
In sockopt_alloc(), 'sopt' may already have been initialized with
'sopt->sopt_data = sopt->sopt_buf'. If the allocation fails, we
end up with 'sopt->sopt_data = NULL', and later try to free this
NULL pointer in sockopt_destroy().
Fix that by not modifying 'sopt_data' if the allocation failed.
Difficult to reproduce in normal times, but fault(4) makes it
easy.
Reported-by: syzbot+380cb5d518742f063ad2%syzkaller.appspotmail.com@localhost
diffstat:
sys/kern/uipc_socket.c | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
diffs (36 lines):
diff -r 226a1de993e3 -r edba0b26d43e sys/kern/uipc_socket.c
--- a/sys/kern/uipc_socket.c Sun Jun 07 14:55:13 2020 +0000
+++ b/sys/kern/uipc_socket.c Sun Jun 07 15:19:05 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $ */
+/* $NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $ */
/*
* Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -71,7 +71,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -2039,13 +2039,15 @@
static int
sockopt_alloc(struct sockopt *sopt, size_t len, km_flag_t kmflag)
{
+ void *data;
KASSERT(sopt->sopt_size == 0);
if (len > sizeof(sopt->sopt_buf)) {
- sopt->sopt_data = kmem_zalloc(len, kmflag);
- if (sopt->sopt_data == NULL)
+ data = kmem_zalloc(len, kmflag);
+ if (data == NULL)
return ENOMEM;
+ sopt->sopt_data = data;
} else
sopt->sopt_data = sopt->sopt_buf;
Home |
Main Index |
Thread Index |
Old Index