Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern Fix bohr bug triggered only once by syzkaller 2,5 m...



details:   https://anonhg.NetBSD.org/src/rev/edba0b26d43e
branches:  trunk
changeset: 1010809:edba0b26d43e
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun Jun 07 15:19:05 2020 +0000

description:
Fix bohr bug triggered only once by syzkaller 2,5 months ago.

In sockopt_alloc(), 'sopt' may already have been initialized with
'sopt->sopt_data = sopt->sopt_buf'. If the allocation fails, we
end up with 'sopt->sopt_data = NULL', and later try to free this
NULL pointer in sockopt_destroy().

Fix that by not modifying 'sopt_data' if the allocation failed.

Difficult to reproduce in normal times, but fault(4) makes it
easy.

Reported-by: syzbot+380cb5d518742f063ad2%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/uipc_socket.c |  10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r 226a1de993e3 -r edba0b26d43e sys/kern/uipc_socket.c
--- a/sys/kern/uipc_socket.c    Sun Jun 07 14:55:13 2020 +0000
+++ b/sys/kern/uipc_socket.c    Sun Jun 07 15:19:05 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $       */
+/*     $NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $   */
 
 /*
  * Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -71,7 +71,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -2039,13 +2039,15 @@
 static int
 sockopt_alloc(struct sockopt *sopt, size_t len, km_flag_t kmflag)
 {
+       void *data;
 
        KASSERT(sopt->sopt_size == 0);
 
        if (len > sizeof(sopt->sopt_buf)) {
-               sopt->sopt_data = kmem_zalloc(len, kmflag);
-               if (sopt->sopt_data == NULL)
+               data = kmem_zalloc(len, kmflag);
+               if (data == NULL)
                        return ENOMEM;
+               sopt->sopt_data = data;
        } else
                sopt->sopt_data = sopt->sopt_buf;
 



Home | Main Index | Thread Index | Old Index