Page MenuHomeFreeBSD

sound: Correctly check nvlist_unpack() error
ClosedPublic

Authored by christos on May 17 2024, 10:38 PM.
Tags
None
Referenced Files
F102718331: D45237.diff
Sat, Nov 16, 7:34 AM
F102707926: D45237.id138790.diff
Sat, Nov 16, 4:01 AM
Unknown Object (File)
Oct 5 2024, 5:54 AM
Unknown Object (File)
Oct 3 2024, 9:18 AM
Unknown Object (File)
Oct 2 2024, 7:45 AM
Unknown Object (File)
Oct 1 2024, 12:16 AM
Unknown Object (File)
Sep 28 2024, 6:30 AM
Unknown Object (File)
Sep 28 2024, 3:33 AM
Subscribers
None

Details

Summary

The current check is never false and If nvlist_unpack(), we might panic
later down the road.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days

Test Plan

To reproduce the panic, call SNDSTIOC_ADD_USER_DEVS with an uninitialized sndstioc_nv_arg->buf:

#include <sys/sndstat.h>

#include <err.h>
#include <fcntl.h>
#include <string.h>

int
main(int argc, char *argv[])
{
        struct sndstioc_nv_arg arg;
        int fd;

        if ((fd = open("/dev/sndstat", O_RDWR)) < 0)
                err(1, "open()");
        arg.nbytes = 14;
        if (ioctl(fd, SNDSTIOC_ADD_USER_DEVS, &arg) < 0)
                err(1, "ioctl(SNDSTIOC_ADD_USER_DEVS)");

        return (0);
}

Panic:

panic: Assertion (nvl) != ((void *)0) failed at /mnt/src/sys/contrib/libnv/nvlist.c:387
cpuid = 0
time = 1715988197
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046d42270
kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046d423d0
vpanic() at vpanic+0x210/frame 0xfffffe0046d42570
panic() at panic+0xb5/frame 0xfffffe0046d42640
nvlist_find() at nvlist_find+0x11f/frame 0xfffffe0046d42680
nvlist_exists_nvlist_array() at nvlist_exists_nvlist_array+0x11/frame 0xfffffe0046d42690
sndstat_ioctl() at sndstat_ioctl+0x824/frame 0xfffffe0046d42790
devfs_ioctl() at devfs_ioctl+0x1f6/frame 0xfffffe0046d42870
vn_ioctl() at vn_ioctl+0x235/frame 0xfffffe0046d42a80
devfs_ioctl_f() at devfs_ioctl_f+0x6c/frame 0xfffffe0046d42ad0
kern_ioctl() at kern_ioctl+0x3a1/frame 0xfffffe0046d42bb0
sys_ioctl() at sys_ioctl+0x247/frame 0xfffffe0046d42d10
amd64_syscall() at amd64_syscall+0x39e/frame 0xfffffe0046d42f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0046d42f30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x821be28fa, rsp = 0x820bf78a8, rbp = 0x820bf7960 ---
KDB: enter: panic
[ thread pid 945 tid 100108 ]
Stopped at      kdb_enter+0x34: movq    $0,0x1f09d01(%rip)

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 57745
Build 54633: arc lint + arc unit

Event Timeline

christos created this revision.
This revision is now accepted and ready to land.May 17 2024, 10:44 PM

The current check is never false and If nvlist_unpack(), we might panic later down the road.

Commit message should probably be "... if nvlist_unpack() fails, ..."?

The current check is never false and If nvlist_unpack(), we might panic later down the road.

Commit message should probably be "... if nvlist_unpack() fails, ..."?

The current check is never false and If nvlist_unpack(), we might panic later down the road.

Commit message should probably be "... if nvlist_unpack() fails, ..."?

I have it fixed locally, just didnt update the message here. :-)