git: 30f8cb812e27 - main - socket: Don't assume m0 != NULL in sbappendcontrol_locked()

Mark Johnston Fri, 02 Feb 2024 11:01:31 -0800

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=30f8cb812e27d8ab40a2c0669ac20a8ee45a7c56


commit 30f8cb812e27d8ab40a2c0669ac20a8ee45a7c56
Author:     Mark Johnston <ma...@freebsd.org>
AuthorDate: 2024-02-02 18:58:37 +0000
Commit:     Mark Johnston <ma...@freebsd.org>
CommitDate: 2024-02-02 19:00:37 +0000

    socket: Don't assume m0 != NULL in sbappendcontrol_locked()
    
    Some callers (e.g., ktls_decrypt()) violate this assumption and thus
    could trigger a NULL pointer dereference in KMSAN kernels.
    
    Reported by:    glebius
    Fixes:          ec45f952a232 ("sockbuf: Add KMSAN checks to sbappend*()")
    MFC after:      1 week
---
 sys/kern/uipc_sockbuf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c
index 2732ee8199ee..6d3050596f23 100644
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@@ -1326,7 +1326,8 @@ sbappendcontrol_locked(struct sockbuf *sb, struct mbuf 
*m0,
 {
        struct mbuf *m, *mlast;
 
-       kmsan_check_mbuf(m0, "sbappend");
+       if (m0 != NULL)
+               kmsan_check_mbuf(m0, "sbappend");
        kmsan_check_mbuf(control, "sbappend");
 
        sbm_clrprotoflags(m0, flags);

git: 30f8cb812e27 - main - socket: Don't assume m0 != NULL in sbappendcontrol_locked()

Reply via email to