Date: Fri, 29 May 2026 15:20:34 +0000 From: ShengYi Hung <aokblast@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Shunchao Hu <ankohuu@gmail.com> Subject: git: 4669f572f7f9 - stable/15 - compat/linprocfs: Fix auxv sbuf leak Message-ID: <6a19aec2.3006e.16c71a7c@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by aokblast: URL: https://cgit.FreeBSD.org/src/commit/?id=4669f572f7f9156d9d48ccab1a1309ec6d23a13a commit 4669f572f7f9156d9d48ccab1a1309ec6d23a13a Author: Shunchao Hu <ankohuu@gmail.com> AuthorDate: 2026-04-04 10:27:53 +0000 Commit: ShengYi Hung <aokblast@FreeBSD.org> CommitDate: 2026-05-29 15:19:48 +0000 compat/linprocfs: Fix auxv sbuf leak linprocfs_doauxv() allocates an automatic sbuf before validating whether the requested read can be satisfied. When the computed auxv read length exceeds IOSIZE_MAX, or when the buffer length is too big, the function returns early without releasing the sbuf. Route these early exits through a shared cleanup path so the sbuf is always deleted after sbuf_new_auto() succeeds. Signed-off-by: Shunchao Hu <ankohuu@gmail.com> Reviewed by: des, spmzt, zlei, aokblast MFC after: 2 weeks Pull Request: https://github.com/freebsd/freebsd-src/pull/2118 (cherry picked from commit 16aa49f6d1bbe70cd3e851139eb63d566de49b12) --- sys/compat/linprocfs/linprocfs.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c index 7ac48786c77b..941b76788dc1 100644 --- a/sys/compat/linprocfs/linprocfs.c +++ b/sys/compat/linprocfs/linprocfs.c @@ -2026,23 +2026,26 @@ linprocfs_doauxv(PFS_FILL_ARGS) if (asb == NULL) return (ENOMEM); error = proc_getauxv(td, p, asb); - if (error == 0) - error = sbuf_finish(asb); + if (error != 0) + goto out; + error = sbuf_finish(asb); + if (error != 0) + goto out; resid = sbuf_len(asb) - uio->uio_offset; if (resid > uio->uio_resid) buflen = uio->uio_resid; else buflen = resid; - if (buflen > IOSIZE_MAX) - return (EINVAL); + if (buflen > IOSIZE_MAX) { + error = EINVAL; + goto out; + } if (buflen > maxphys) buflen = maxphys; - if (resid <= 0) - return (0); - - if (error == 0) + if (resid > 0) error = uiomove(sbuf_data(asb) + uio->uio_offset, buflen, uio); +out: sbuf_delete(asb); return (error); }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a19aec2.3006e.16c71a7c>