git: 16aa49f6d1bb - main - compat/linprocfs: Fix auxv sbuf leak
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 08 Apr 2026 15:31:02 UTC
The branch main has been updated by aokblast:
URL: https://cgit.FreeBSD.org/src/commit/?id=16aa49f6d1bbe70cd3e851139eb63d566de49b12
commit 16aa49f6d1bbe70cd3e851139eb63d566de49b12
Author: Shunchao Hu <ankohuu@gmail.com>
AuthorDate: 2026-04-04 10:27:53 +0000
Commit: ShengYi Hung <aokblast@FreeBSD.org>
CommitDate: 2026-04-08 15:30:23 +0000
compat/linprocfs: Fix auxv sbuf leak
linprocfs_doauxv() allocates an automatic sbuf before validating
whether the requested read can be satisfied.
When the computed auxv read length exceeds IOSIZE_MAX, or when the
buffer length is too big, the function returns early without
releasing the sbuf.
Route these early exits through a shared cleanup path so the sbuf is
always deleted after sbuf_new_auto() succeeds.
Signed-off-by: Shunchao Hu <ankohuu@gmail.com>
Reviewed by: des, spmzt, zlei, aokblast
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/2118
---
sys/compat/linprocfs/linprocfs.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c
index 7ac48786c77b..941b76788dc1 100644
--- a/sys/compat/linprocfs/linprocfs.c
+++ b/sys/compat/linprocfs/linprocfs.c
@@ -2026,23 +2026,26 @@ linprocfs_doauxv(PFS_FILL_ARGS)
if (asb == NULL)
return (ENOMEM);
error = proc_getauxv(td, p, asb);
- if (error == 0)
- error = sbuf_finish(asb);
+ if (error != 0)
+ goto out;
+ error = sbuf_finish(asb);
+ if (error != 0)
+ goto out;
resid = sbuf_len(asb) - uio->uio_offset;
if (resid > uio->uio_resid)
buflen = uio->uio_resid;
else
buflen = resid;
- if (buflen > IOSIZE_MAX)
- return (EINVAL);
+ if (buflen > IOSIZE_MAX) {
+ error = EINVAL;
+ goto out;
+ }
if (buflen > maxphys)
buflen = maxphys;
- if (resid <= 0)
- return (0);
-
- if (error == 0)
+ if (resid > 0)
error = uiomove(sbuf_data(asb) + uio->uio_offset, buflen, uio);
+out:
sbuf_delete(asb);
return (error);
}