From owner-freebsd-bugs@freebsd.org  Thu Sep 20 13:28:28 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2EAF109CC6B
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Thu, 20 Sep 2018 13:28:27 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 6466C8D064
 for <freebsd-bugs@freebsd.org>; Thu, 20 Sep 2018 13:28:27 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 28A29109CC6A; Thu, 20 Sep 2018 13:28:27 +0000 (UTC)
Delivered-To: bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 174C5109CC68
 for <bugs@mailman.ysv.freebsd.org>; Thu, 20 Sep 2018 13:28:27 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 98FDB8D063
 for <bugs@FreeBSD.org>; Thu, 20 Sep 2018 13:28:26 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id DDB3D150FC
 for <bugs@FreeBSD.org>; Thu, 20 Sep 2018 13:28:25 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w8KDSPLL068145
 for <bugs@FreeBSD.org>; Thu, 20 Sep 2018 13:28:25 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w8KDSPJN068144
 for bugs@FreeBSD.org; Thu, 20 Sep 2018 13:28:25 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 231514] Potential null pointer deference in function
 ffec_alloc_mbufcl (sys/dev/ffec/if_ffec.c)
Date: Thu, 20 Sep 2018 13:28:25 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: yangx92@hotmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-231514-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2018 13:28:28 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231514

            Bug ID: 231514
           Summary: Potential null pointer deference in function
                    ffec_alloc_mbufcl (sys/dev/ffec/if_ffec.c)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: yangx92@hotmail.com

Created attachment 197278
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D197278&action=
=3Dedit
Patch_for_FFEC_NULL-POINTER-DEFERENCE

There is a potential null pointer deference in function ffec_alloc_mbufcl
(sys/dev/ffec/if_ffec.c).

 798 static struct mbuf *
 799 ffec_alloc_mbufcl(struct ffec_softc *sc)
 800 {
 801         struct mbuf *m;
 802=20
 803         m =3D m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
 804         m->m_pkthdr.len =3D m->m_len =3D m->m_ext.ext_size;
 805=20
 806         return (m);
 807 }

m_getcl(how,    type, flags)
Fetch an mbuf with a mbuf cluster attached to it.  If one of the allocations
fails, the entire allocation fails. This routine is the preferred way of
fetching both the mbuf and mbuf cluster together, as it avoids having to
unlock/relock between allocations.
Returns NULL on failure.

if line 803 return NULL on failure, then there is a null pointer deference
vulnerability.

The attachment is the proposal patch.

--=20
You are receiving this mail because:
You are the assignee for the bug.=