Module Name: src Committed By: maxv Date: Sun Jun 7 15:19:05 UTC 2020
Modified Files: src/sys/kern: uipc_socket.c Log Message: Fix bohr bug triggered only once by syzkaller 2,5 months ago. In sockopt_alloc(), 'sopt' may already have been initialized with 'sopt->sopt_data = sopt->sopt_buf'. If the allocation fails, we end up with 'sopt->sopt_data = NULL', and later try to free this NULL pointer in sockopt_destroy(). Fix that by not modifying 'sopt_data' if the allocation failed. Difficult to reproduce in normal times, but fault(4) makes it easy. Reported-by: syzbot+380cb5d518742f063...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.289 -r1.290 src/sys/kern/uipc_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/uipc_socket.c diff -u src/sys/kern/uipc_socket.c:1.289 src/sys/kern/uipc_socket.c:1.290 --- src/sys/kern/uipc_socket.c:1.289 Sun Apr 26 14:21:14 2020 +++ src/sys/kern/uipc_socket.c Sun Jun 7 15:19:05 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $ */ +/* $NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $ */ /* * Copyright (c) 2002, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -71,7 +71,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.289 2020/04/26 14:21:14 jakllsch Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.290 2020/06/07 15:19:05 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_compat_netbsd.h" @@ -2039,13 +2039,15 @@ sogetopt(struct socket *so, struct socko static int sockopt_alloc(struct sockopt *sopt, size_t len, km_flag_t kmflag) { + void *data; KASSERT(sopt->sopt_size == 0); if (len > sizeof(sopt->sopt_buf)) { - sopt->sopt_data = kmem_zalloc(len, kmflag); - if (sopt->sopt_data == NULL) + data = kmem_zalloc(len, kmflag); + if (data == NULL) return ENOMEM; + sopt->sopt_data = data; } else sopt->sopt_data = sopt->sopt_buf;