Even though I have no idea what I'm doing, the patch below is enough to
thwart the reproducer. There are multiple places where the result of
sotounpcb is used without checking the result, but I don't know which
invariants are established non-locally.
Please do me a favor when committing this or a proper fix and heed
syzkaller's request:
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2cd350dfe5c96f646...@syzkaller.appspotmail.com
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -1905,6 +1905,8 @@ sogetopt(struct socket *so, int level, int optname,
struct mbuf *m)
case SO_PEERCRED:
if (so->so_proto->pr_protocol == AF_UNIX) {
struct unpcb *unp = sotounpcb(so);
+ if (unp == NULL)
+ return (EINVAL);
if (unp->unp_flags & UNP_FEIDS) {
m->m_len = sizeof(unp->unp_connid);
On Sat, Dec 1, 2018 at 3:13 PM Greg Steuck <g...@nest.cx> wrote:
> This is the offending line:
>
> https://github.com/openbsd/src/blob/7c13478cbf7a624ad524dc377f8c2a7e497c0f3b/sys/kern/uipc_socket.c#L1909
> case SO_PEERCRED:
> if (so->so_proto->pr_protocol == AF_UNIX) {
> struct unpcb *unp = sotounpcb(so);
>
> * if (unp->unp_flags & UNP_FEIDS) {*
>
> I want to automate this whole objdump -dlr business, too much manual work.
>
>
>
--
nest.cx is Gmail hosted, use PGP for anything private. Key:
http://goo.gl/6dMsr
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
