sound: Correctly check nvlist_unpack() error
ClosedPublic
Actions

Authored by christos on May 17 2024, 10:38 PM.

Details

Reviewers

markj
emaste
dev_submerge.ch
imp

Commits

rG8d3f96bd85c9: sound: Correctly check nvlist_unpack() error
rG45feaa73c680: sound: Correctly check nvlist_unpack() error
rG64f4e2db6d19: sound: Correctly check nvlist_unpack() error

Summary

The current check is never false and If nvlist_unpack(), we might panic
later down the road.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days

Test Plan

To reproduce the panic, call SNDSTIOC_ADD_USER_DEVS with an uninitialized sndstioc_nv_arg->buf:

#include <sys/sndstat.h>

#include <err.h>
#include <fcntl.h>
#include <string.h>

int
main(int argc, char *argv[])
{
        struct sndstioc_nv_arg arg;
        int fd;

        if ((fd = open("/dev/sndstat", O_RDWR)) < 0)
                err(1, "open()");
        arg.nbytes = 14;
        if (ioctl(fd, SNDSTIOC_ADD_USER_DEVS, &arg) < 0)
                err(1, "ioctl(SNDSTIOC_ADD_USER_DEVS)");

        return (0);
}

Panic:

panic: Assertion (nvl) != ((void *)0) failed at /mnt/src/sys/contrib/libnv/nvlist.c:387
cpuid = 0
time = 1715988197
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046d42270
kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046d423d0
vpanic() at vpanic+0x210/frame 0xfffffe0046d42570
panic() at panic+0xb5/frame 0xfffffe0046d42640
nvlist_find() at nvlist_find+0x11f/frame 0xfffffe0046d42680
nvlist_exists_nvlist_array() at nvlist_exists_nvlist_array+0x11/frame 0xfffffe0046d42690
sndstat_ioctl() at sndstat_ioctl+0x824/frame 0xfffffe0046d42790
devfs_ioctl() at devfs_ioctl+0x1f6/frame 0xfffffe0046d42870
vn_ioctl() at vn_ioctl+0x235/frame 0xfffffe0046d42a80
devfs_ioctl_f() at devfs_ioctl_f+0x6c/frame 0xfffffe0046d42ad0
kern_ioctl() at kern_ioctl+0x3a1/frame 0xfffffe0046d42bb0
sys_ioctl() at sys_ioctl+0x247/frame 0xfffffe0046d42d10
amd64_syscall() at amd64_syscall+0x39e/frame 0xfffffe0046d42f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0046d42f30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x821be28fa, rsp = 0x820bf78a8, rbp = 0x820bf7960 ---
KDB: enter: panic
[ thread pid 945 tid 100108 ]
Stopped at      kdb_enter+0x34: movq    $0,0x1f09d01(%rip)

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

christos requested review of this revision.May 17 2024, 10:38 PM

christos created this revision.

Harbormaster completed remote builds in B57745: Diff 138704.May 17 2024, 10:39 PM

christos edited the test plan for this revision. (Show Details)May 17 2024, 10:40 PM

emaste accepted this revision.May 17 2024, 10:44 PM

This revision is now accepted and ready to land.May 17 2024, 10:44 PM

The current check is never false and If nvlist_unpack(), we might panic later down the road.

Commit message should probably be "... if nvlist_unpack() fails, ..."?

In D45237#1032029, @dev_submerge.ch wrote:

The current check is never false and If nvlist_unpack(), we might panic later down the road.

Commit message should probably be "... if nvlist_unpack() fails, ..."?