The branch main has been updated by aokblast: URL: https://cgit.FreeBSD.org/src/commit/?id=16aa49f6d1bbe70cd3e851139eb63d566de49b12
commit 16aa49f6d1bbe70cd3e851139eb63d566de49b12 Author: Shunchao Hu <[email protected]> AuthorDate: 2026-04-04 10:27:53 +0000 Commit: ShengYi Hung <[email protected]> CommitDate: 2026-04-08 15:30:23 +0000 compat/linprocfs: Fix auxv sbuf leak linprocfs_doauxv() allocates an automatic sbuf before validating whether the requested read can be satisfied. When the computed auxv read length exceeds IOSIZE_MAX, or when the buffer length is too big, the function returns early without releasing the sbuf. Route these early exits through a shared cleanup path so the sbuf is always deleted after sbuf_new_auto() succeeds. Signed-off-by: Shunchao Hu <[email protected]> Reviewed by: des, spmzt, zlei, aokblast MFC after: 2 weeks Pull Request: https://github.com/freebsd/freebsd-src/pull/2118 --- sys/compat/linprocfs/linprocfs.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c index 7ac48786c77b..941b76788dc1 100644 --- a/sys/compat/linprocfs/linprocfs.c +++ b/sys/compat/linprocfs/linprocfs.c @@ -2026,23 +2026,26 @@ linprocfs_doauxv(PFS_FILL_ARGS) if (asb == NULL) return (ENOMEM); error = proc_getauxv(td, p, asb); - if (error == 0) - error = sbuf_finish(asb); + if (error != 0) + goto out; + error = sbuf_finish(asb); + if (error != 0) + goto out; resid = sbuf_len(asb) - uio->uio_offset; if (resid > uio->uio_resid) buflen = uio->uio_resid; else buflen = resid; - if (buflen > IOSIZE_MAX) - return (EINVAL); + if (buflen > IOSIZE_MAX) { + error = EINVAL; + goto out; + } if (buflen > maxphys) buflen = maxphys; - if (resid <= 0) - return (0); - - if (error == 0) + if (resid > 0) error = uiomove(sbuf_data(asb) + uio->uio_offset, buflen, uio); +out: sbuf_delete(asb); return (error); }
