Date: Fri, 29 May 2026 15:27:09 +0000 From: ShengYi Hung <aokblast@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Shunchao Hu <ankohuu@gmail.com> Subject: git: 1ea682ec2f9e - stable/14 - compat/linprocfs: Fix auxv sbuf leak Message-ID: <6a19b04d.26ff6.11ff214c@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by aokblast: URL: https://cgit.FreeBSD.org/src/commit/?id=1ea682ec2f9eead529f67205060b025b6f92cad2 commit 1ea682ec2f9eead529f67205060b025b6f92cad2 Author: Shunchao Hu <ankohuu@gmail.com> AuthorDate: 2026-04-04 10:27:53 +0000 Commit: ShengYi Hung <aokblast@FreeBSD.org> CommitDate: 2026-05-29 15:26:08 +0000 compat/linprocfs: Fix auxv sbuf leak linprocfs_doauxv() allocates an automatic sbuf before validating whether the requested read can be satisfied. When the computed auxv read length exceeds IOSIZE_MAX, or when the buffer length is too big, the function returns early without releasing the sbuf. Route these early exits through a shared cleanup path so the sbuf is always deleted after sbuf_new_auto() succeeds. Signed-off-by: Shunchao Hu <ankohuu@gmail.com> Reviewed by: des, spmzt, zlei, aokblast MFC after: 2 weeks Pull Request: https://github.com/freebsd/freebsd-src/pull/2118 (cherry picked from commit 16aa49f6d1bbe70cd3e851139eb63d566de49b12) --- sys/compat/linprocfs/linprocfs.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c index 023134a9ba14..f0a7d7fd0b17 100644 --- a/sys/compat/linprocfs/linprocfs.c +++ b/sys/compat/linprocfs/linprocfs.c @@ -2028,23 +2028,26 @@ linprocfs_doauxv(PFS_FILL_ARGS) if (asb == NULL) return (ENOMEM); error = proc_getauxv(td, p, asb); - if (error == 0) - error = sbuf_finish(asb); + if (error != 0) + goto out; + error = sbuf_finish(asb); + if (error != 0) + goto out; resid = sbuf_len(asb) - uio->uio_offset; if (resid > uio->uio_resid) buflen = uio->uio_resid; else buflen = resid; - if (buflen > IOSIZE_MAX) - return (EINVAL); + if (buflen > IOSIZE_MAX) { + error = EINVAL; + goto out; + } if (buflen > maxphys) buflen = maxphys; - if (resid <= 0) - return (0); - - if (error == 0) + if (resid > 0) error = uiomove(sbuf_data(asb) + uio->uio_offset, buflen, uio); +out: sbuf_delete(asb); return (error); }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a19b04d.26ff6.11ff214c>