[Bug 266144] bug in sndstat_unpack_user_nvlbuf()
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266144 --- Comment #4 from commit-h...@freebsd.org --- A commit in branch releng/14.1 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8d3f96bd85c9519cef76d0727b00082354a2134b commit 8d3f96bd85c9519cef76d0727b00082354a2134b Author: Christos Margiolis AuthorDate: 2024-05-20 14:18:33 + Commit: Christos Margiolis CommitDate: 2024-05-22 13:22:40 + sound: Correctly check nvlist_unpack() error The current check is never false and if nvlist_unpack() fails, we might panic later down the road. PR: 266144 Sponsored by: The FreeBSD Foundation MFC after: 1 day Reviewed by:dev_submerge.ch, emaste Differential Revision: https://reviews.freebsd.org/D45237 (cherry picked from commit 64f4e2db6d19d8ab520903a197fcaa8cc7ab9f9a) (cherry picked from commit 45feaa73c68011bbba647d1eb6f86a166a0453e9) Approved by:re (cperciva) sys/dev/sound/pcm/sndstat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 266144] bug in sndstat_unpack_user_nvlbuf()
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266144 --- Comment #3 from commit-h...@freebsd.org --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=45feaa73c68011bbba647d1eb6f86a166a0453e9 commit 45feaa73c68011bbba647d1eb6f86a166a0453e9 Author: Christos Margiolis AuthorDate: 2024-05-20 14:18:33 + Commit: Christos Margiolis CommitDate: 2024-05-21 17:45:55 + sound: Correctly check nvlist_unpack() error The current check is never false and if nvlist_unpack() fails, we might panic later down the road. PR: 266144 Sponsored by: The FreeBSD Foundation MFC after: 1 day Reviewed by:dev_submerge.ch, emaste Differential Revision: https://reviews.freebsd.org/D45237 (cherry picked from commit 64f4e2db6d19d8ab520903a197fcaa8cc7ab9f9a) sys/dev/sound/pcm/sndstat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 266144] bug in sndstat_unpack_user_nvlbuf()
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266144 Christos Margiolis changed: What|Removed |Added Resolution|--- |FIXED Status|Open|Closed -- You are receiving this mail because: You are the assignee for the bug.
[Bug 266144] bug in sndstat_unpack_user_nvlbuf()
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266144 --- Comment #2 from commit-h...@freebsd.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=64f4e2db6d19d8ab520903a197fcaa8cc7ab9f9a commit 64f4e2db6d19d8ab520903a197fcaa8cc7ab9f9a Author: Christos Margiolis AuthorDate: 2024-05-20 14:18:33 + Commit: Christos Margiolis CommitDate: 2024-05-20 14:18:33 + sound: Correctly check nvlist_unpack() error The current check is never false and if nvlist_unpack() fails, we might panic later down the road. PR: 266144 Sponsored by: The FreeBSD Foundation MFC after: 1 day Reviewed by:dev_submerge.ch, emaste Differential Revision: https://reviews.freebsd.org/D45237 sys/dev/sound/pcm/sndstat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 266144] bug in sndstat_unpack_user_nvlbuf()
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266144 Christos Margiolis changed: What|Removed |Added CC||chris...@freebsd.org --- Comment #1 from Christos Margiolis --- Hello Robert. I hit this bug a few minutes ago and I just stumbled upon your bug report. The fix is indeed what you proposed: https://reviews.freebsd.org/D45237 -- You are receiving this mail because: You are the assignee for the bug.
[Bug 266144] bug in sndstat_unpack_user_nvlbuf()
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266144 Ed Maste changed: What|Removed |Added Status|New |Open -- You are receiving this mail because: You are the assignee for the bug.
[Bug 266144] bug in sndstat_unpack_user_nvlbuf()
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266144
Bug ID: 266144
Summary: bug in sndstat_unpack_user_nvlbuf()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: r...@lcs.mit.edu
In this code in sndstat_unpack_user_nvlbuf() in sys/dev/sound/pcm/sndstat.c:
*nvl = nvlist_unpack(nvlbuf, nbytes, 0);
free(nvlbuf, M_DEVBUF);
if (nvl == NULL) {
return (EINVAL);
}
I believe it should be
if (*nvl == NULL) {
Without this fix, if nvlist_unpack() returns NULL, subsequent code
will panic when it tries to use a NULL *nvl.
A demo:
int main() {
char *dev = "/dev/sndstat";
int fd = open(dev, 2);
if(fd < 0) { perror(dev); exit(1); }
char buf2[64];
memset(buf2, 0, sizeof(buf2));
char buf1[128];
memset(buf1, 0, sizeof(buf1));
*(int*)(buf1+0) = sizeof(buf2);
*(char**)(buf1+8) = buf2;
ioctl(fd, 0xc0104466, buf1); // SNDSTIOC_ADD_USER_DEVS
}
panic: Assertion (nvl) != ((void *)0) failed at
/usr/rtm/symbsd/src/sys/contrib/libnv/nvlist.c:387
panic() at panic+0x2a
nvlist_find() at nvlist_find+0xd4
nvlist_exists_nvlist_array() at nvlist_exists_nvlist_array+0x10
sndstat_add_user_devs() at sndstat_add_user_devs+0x4e
sndstat_ioctl() at sndstat_ioctl+0x9e
devfs_ioctl() at devfs_ioctl+0xbe
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x30
VOP_IOCTL() at VOP_IOCTL+0x36
vn_ioctl() at vn_ioctl+0xba
devfs_ioctl_f() at devfs_ioctl_f+0x20
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--
You are receiving this mail because:
You are the assignee for the bug.
