compat/linprocfs: Fix auxv sbuf leak

linprocfs_doauxv() allocates an automatic sbuf before validating
whether the requested read can be satisfied.

When the computed auxv read length exceeds IOSIZE_MAX, or when the
buffer length is too big, the function returns early without
releasing the sbuf.

Route these early exits through a shared cleanup path so the sbuf is
always deleted after sbuf_new_auto() succeeds.

Signed-off-by:  Shunchao Hu <ankohuu@gmail.com>
Reviewed by:    des, spmzt, zlei, aokblast
MFC after:      2 weeks
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2118
This commit is contained in:
Shunchao Hu
2026-04-04 10:27:53 +00:00
committed by ShengYi Hung
parent c913dce86e
commit 16aa49f6d1
+11 -8
View File
@@ -2026,23 +2026,26 @@ linprocfs_doauxv(PFS_FILL_ARGS)
if (asb == NULL)
return (ENOMEM);
error = proc_getauxv(td, p, asb);
if (error == 0)
error = sbuf_finish(asb);
if (error != 0)
goto out;
error = sbuf_finish(asb);
if (error != 0)
goto out;
resid = sbuf_len(asb) - uio->uio_offset;
if (resid > uio->uio_resid)
buflen = uio->uio_resid;
else
buflen = resid;
if (buflen > IOSIZE_MAX)
return (EINVAL);
if (buflen > IOSIZE_MAX) {
error = EINVAL;
goto out;
}
if (buflen > maxphys)
buflen = maxphys;
if (resid <= 0)
return (0);
if (error == 0)
if (resid > 0)
error = uiomove(sbuf_data(asb) + uio->uio_offset, buflen, uio);
out:
sbuf_delete(asb);
return (error);
}