Even though I have no idea what I'm doing, the patch below is enough to thwart the reproducer. There are multiple places where the result of sotounpcb is used without checking the result, but I don't know which invariants are established non-locally.
Please do me a favor when committing this or a proper fix and heed syzkaller's request: IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2cd350dfe5c96f646...@syzkaller.appspotmail.com --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1905,6 +1905,8 @@ sogetopt(struct socket *so, int level, int optname, struct mbuf *m) case SO_PEERCRED: if (so->so_proto->pr_protocol == AF_UNIX) { struct unpcb *unp = sotounpcb(so); + if (unp == NULL) + return (EINVAL); if (unp->unp_flags & UNP_FEIDS) { m->m_len = sizeof(unp->unp_connid); On Sat, Dec 1, 2018 at 3:13 PM Greg Steuck <g...@nest.cx> wrote: > This is the offending line: > > https://github.com/openbsd/src/blob/7c13478cbf7a624ad524dc377f8c2a7e497c0f3b/sys/kern/uipc_socket.c#L1909 > case SO_PEERCRED: > if (so->so_proto->pr_protocol == AF_UNIX) { > struct unpcb *unp = sotounpcb(so); > > * if (unp->unp_flags & UNP_FEIDS) {* > > I want to automate this whole objdump -dlr business, too much manual work. > > > -- nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0