Bug 261457 - Fix a possible Null pointer dereference in mld_is_addr_reported()
Summary: Fix a possible Null pointer dereference in mld_is_addr_reported()
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-25 07:11 UTC by Zhou Qingyang
Modified: 2022-04-28 00:35 UTC (History)
1 user (show)

See Also:

Attachments
A simple fix for this bug (1.04 KB, patch)
2022-01-25 07:11 UTC, Zhou Qingyang 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zhou Qingyang 2022-01-25 07:11:23 UTC 
Created attachment 231297 [details]
A simple fix for this bug

In mld_is_addr_reported(), the return value of mli_alloc_locked() is assigned to mli and there is a dereference of it after that, which could lead to NULL pointer dereference on failure of allocation.

Fix this bug by adding a NULL check of mli.

This bug is found by a static analyzer, please advise.
Comment 1 Yuri 2022-01-25 07:26:54 UTC 
It's mld_domifattach(), right?  And NULL check is "if (mli == NULL)".
Comment 2 Zhou Qingyang 2022-04-18 14:10:07 UTC 
(In reply to Yuri from comment #1)
Yes you're right, the fix is not proper.
Comment 3 Mark Johnston freebsd_committer freebsd_triage 2022-04-18 16:17:53 UTC 
A better solution is to ensure that the failure doesn't happen in the first place: https://reviews.freebsd.org/D34943
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-04-21 17:26:36 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=5d691ab4f03d436d38f46777c3c117cf5a27f1bc

commit 5d691ab4f03d436d38f46777c3c117cf5a27f1bc
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-04-21 17:22:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-04-21 17:23:59 +0000

    mld6: Ensure that mld_domifattach() always succeeds

    mld_domifattach() does a memory allocation under the global MLD mutex
    and so can fail, but no error handling prevents a null pointer
    dereference in this case.  The mutex is only needed when updating the
    global softc list; the allocation and static initialization of the softc
    does not require this mutex.  So, reduce the scope of the mutex and use
    M_WAITOK for the allocation.

    PR:             261457
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D34943

 sys/netinet6/mld6.c | 48 ++++++++++--------------------------------------
 1 file changed, 10 insertions(+), 38 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-04-28 00:35:00 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=46242829baa3c822b8e7376a71f1d0fa2be1c5c5

commit 46242829baa3c822b8e7376a71f1d0fa2be1c5c5
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-04-21 17:22:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-04-28 00:34:17 +0000

    mld6: Ensure that mld_domifattach() always succeeds

    mld_domifattach() does a memory allocation under the global MLD mutex
    and so can fail, but no error handling prevents a null pointer
    dereference in this case.  The mutex is only needed when updating the
    global softc list; the allocation and static initialization of the softc
    does not require this mutex.  So, reduce the scope of the mutex and use
    M_WAITOK for the allocation.

    PR:             261457
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit 5d691ab4f03d436d38f46777c3c117cf5a27f1bc)

 sys/netinet6/mld6.c | 48 ++++++++++--------------------------------------
 1 file changed, 10 insertions(+), 38 deletions(-)
Comment 6 Mark Johnston freebsd_committer freebsd_triage 2022-04-28 00:35:41 UTC 
Thanks for the report.