From nobody Mon Nov 18 22:13:22 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Xshhz0vPvz5dd7J;
	Mon, 18 Nov 2024 22:13:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Xshhz08Smz4RgT;
	Mon, 18 Nov 2024 22:13:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1731968003;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=pupTgApSf88y5rXPqoVB9VP1fAJk/3hTxUZzbpRdy24=;
	b=OfzsjC04Vmn6ZYCa47wZAUqjkbD1PW3sop6qsJ+dKnmhQXAnDkKXpZ95F2x07sLq5u8c4s
	JUFctgjJLkjJUse/xR2Psb4q6LUI+Laq2fNzas1swr03No96vI3YUsnS4Q04U7hdeq1n7z
	4bO2rFftY8+fR6QPNEuBYbCoF7kinrNyx1TeE+Y+K/1wFnIki6e2mOVfegttC2kapE12sh
	lM9GkOLKCnCXwDqTBiMDU3l7i9B+1ux1qIS0qRWWKynIG80QxTj4xVvDNqsSSvVPRyDemB
	mZs2eW7liAupLfe4WDQhBPvTBH8Fkk8jE8YrFwZx9ZScq7kU+T2KgKfum9scYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1731968003;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=pupTgApSf88y5rXPqoVB9VP1fAJk/3hTxUZzbpRdy24=;
	b=jRflwhG5f1+L/dwxgYOt/ALoYXAO2F04qVB2C25vSf1k3ozZpc4H6v/8Ah2A+eW+AOEMf7
	cnFmFZWS4c18vobXacoyRqWzOnbK00UWNDwAzxdmTBE2TI0DcFxBuSMq1IjpIc+Sj68hiQ
	/MY36NMZAvmBz828zodQj0dZE0UCS2tQzWXeawkcaxUMtrHZUG5hSxj6o7C5gwIj2qgSN0
	pLwTJH5tqTm8/7Ajoq5Yh+5KUF7NGWTuzaFgJn42zxCN26+SfsXgUMLr6+/5xRawIdmWFb
	GAo6xBq5xUMoMbvVH8JwOAhUueqxRFPqbmiLVy+UWwkX3me2RJe8B5wQNtAzMQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731968003; a=rsa-sha256; cv=none;
	b=ILc71Qh8M6IPWkxpegJS0GtU1h2gfjucyySEaoTvj7/XTv0cIO+tb7QNYPwLSK38/NTf21
	UM78PFvFs2xPp5yrVPzVmxsRqNXHeQQCgJ4nQ6fIFyHAvXBOEGnEPUDVKk4NOtou+lfeV9
	4Fh/2S5MqP8wkRcpcrl+TDEtX3O9WKRrAnAqiw/jy+qNYrKfXe6LnRN11sm+ItF0ygqzpy
	/adJR4mkijcGW9YoPNVPRE97eNzWaz9rLi/IvDZyorvm77TLmOuLNn3M+FFpAhkilkL5rN
	YNyup9yk8sL6gCxQqAJUHtgDdvR3RTCjT3dTz4roCHBdFgH11uuAvvI7dvJ0Pg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Xshhy6sh9zyJ1;
	Mon, 18 Nov 2024 22:13:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AIMDMeW020367;
	Mon, 18 Nov 2024 22:13:22 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AIMDMsO020364;
	Mon, 18 Nov 2024 22:13:22 GMT
	(envelope-from git)
Date: Mon, 18 Nov 2024 22:13:22 GMT
Message-Id: <202411182213.4AIMDMsO020364@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Gleb Smirnoff <glebius@FreeBSD.org>
Subject: git: dae64402b3e8 - main - rtsock: fix panic in
  rtsock_msg_buffer()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: glebius
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: dae64402b3e8ef7488db0df8003361f242573905
Auto-Submitted: auto-generated

The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=dae64402b3e8ef7488db0df8003361f242573905

commit dae64402b3e8ef7488db0df8003361f242573905
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2024-11-18 22:12:42 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2024-11-18 22:12:42 +0000

    rtsock: fix panic in rtsock_msg_buffer()
    
    The rtsock_msg_buffer() can be called without walkarg, just to calculate
    required length.  It can also be called with a degenerate walkarg, that
    doesn't have a w_req.  The latter happens when the function is called from
    update_rtm_from_info() for the second time.
    
    Zero init walkarg in update_rtm_from_info() and don't pass random stack
    garbage as w_req.
    
    In rtsock_msg_buffer() initialize compat32 boolean only once and take of
    possible empty w_req.  Simplify the rest of code once compat32 is already
    set.
    
    Reviewed by:            melifaro
    Differential Revision:  https://reviews.freebsd.org/D47662
    Reported-by: syzbot+d4a2682059e23179e76e@syzkaller.appspotmail.com
    Reported-by: syzbot+66d7c9b3062e27a56f3f@syzkaller.appspotmail.com
---
 sys/net/rtsock.c | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 09d463dc17af..a5395dcf1469 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -921,8 +921,10 @@ update_rtm_from_info(struct rt_addrinfo *info, struct rt_msghdr **prtm,
 		 */
 	}
 
-	w.w_tmem = (caddr_t)rtm;
-	w.w_tmemsize = alloc_len;
+	w = (struct walkarg ){
+		.w_tmem = (caddr_t)rtm,
+		.w_tmemsize = alloc_len,
+	};
 	rtsock_msg_buffer(rtm->rtm_type, info, &w, &len);
 	rtm->rtm_addrs = info->rti_addrs;
 
@@ -1774,7 +1776,10 @@ rtsock_msg_buffer(int type, struct rt_addrinfo *rtinfo, struct walkarg *w, int *
 	struct sockaddr_in6 *sin6;
 #endif
 #ifdef COMPAT_FREEBSD32
-	bool compat32 = false;
+	bool compat32;
+
+	compat32 = w != NULL && w->w_req != NULL &&
+	    (w->w_req->flags & SCTL_MASK32);
 #endif
 
 	switch (type) {
@@ -1782,10 +1787,9 @@ rtsock_msg_buffer(int type, struct rt_addrinfo *rtinfo, struct walkarg *w, int *
 	case RTM_NEWADDR:
 		if (w != NULL && w->w_op == NET_RT_IFLISTL) {
 #ifdef COMPAT_FREEBSD32
-			if (w->w_req->flags & SCTL_MASK32) {
+			if (compat32)
 				len = sizeof(struct ifa_msghdrl32);
-				compat32 = true;
-			} else
+			else
 #endif
 				len = sizeof(struct ifa_msghdrl);
 		} else
@@ -1793,20 +1797,21 @@ rtsock_msg_buffer(int type, struct rt_addrinfo *rtinfo, struct walkarg *w, int *
 		break;
 
 	case RTM_IFINFO:
+		if (w != NULL && w->w_op == NET_RT_IFLISTL) {
 #ifdef COMPAT_FREEBSD32
-		if (w != NULL && w->w_req->flags & SCTL_MASK32) {
-			if (w->w_op == NET_RT_IFLISTL)
+			if (compat32)
 				len = sizeof(struct if_msghdrl32);
 			else
+#endif
+				len = sizeof(struct if_msghdrl);
+		} else {
+#ifdef COMPAT_FREEBSD32
+			if (compat32)
 				len = sizeof(struct if_msghdr32);
-			compat32 = true;
-			break;
-		}
+			else
 #endif
-		if (w != NULL && w->w_op == NET_RT_IFLISTL)
-			len = sizeof(struct if_msghdrl);
-		else
-			len = sizeof(struct if_msghdr);
+				len = sizeof(struct if_msghdr);
+		}
 		break;
 
 	case RTM_NEWMADDR: