git: a9ef2c901a8b - stable/14 - socket: Don't assume m0 != NULL in sbappendcontrol_locked()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 09 Feb 2024 15:04:29 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=a9ef2c901a8b7101414a6bb778f991e9cb3b50c9
commit a9ef2c901a8b7101414a6bb778f991e9cb3b50c9
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-02-02 18:58:37 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-02-09 14:56:02 +0000
socket: Don't assume m0 != NULL in sbappendcontrol_locked()
Some callers (e.g., ktls_decrypt()) violate this assumption and thus
could trigger a NULL pointer dereference in KMSAN kernels.
Reported by: glebius
Fixes: ec45f952a232 ("sockbuf: Add KMSAN checks to sbappend*()")
MFC after: 1 week
(cherry picked from commit 30f8cb812e27d8ab40a2c0669ac20a8ee45a7c56)
---
sys/kern/uipc_sockbuf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c
index e76f198f42dc..406fdca11b47 100644
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@@ -1328,7 +1328,8 @@ sbappendcontrol_locked(struct sockbuf *sb, struct mbuf *m0,
{
struct mbuf *m, *mlast;
- kmsan_check_mbuf(m0, "sbappend");
+ if (m0 != NULL)
+ kmsan_check_mbuf(m0, "sbappend");
kmsan_check_mbuf(control, "sbappend");
sbm_clrprotoflags(m0, flags);