Found bugs

Most latest bugs are reported by syzbot to syzkaller-openbsd-bugs mailing list and are listed on the dashboard.

Newer bugs comes first.

• pppx(4): variable confusion

• wscons(4): double free

• pppx(4): concurrent access of partially initialized softc

• kcov(4): disallow file descriptor send/receive

• pf(4): NULL pointer dereference

• vnd(4): missing locking

• sysctl: state changed after sleeping

• mlock: double free

• shmat: propagate error instead of panicking on allocation failure

• vnd(4): state changed after sleeping

• dt(4): too strict assertion

• uvm(9): NULL pointer dereference

• pf(4): division by zero

• multicast(4): NULL pointer dereference

• inet6(4): NULL pointer dereference

• vmm(4): missing locking

• vnd(4): unintended nesting of devices

• route(4): NULL pointer dereference

• vmm(4): missing locking

• vmm(4): missing locking

• pf(4): use-after-free

• vmm(4): lock ordering problem

• kqueue: missing locking

• socketpair: lock ordering problem

• tun(4): leaking device references

• pf(4): incorrect handling of overlapping fragments ERRATA-68-014

• if_addgroup(9): double free of interface groups

• pf(4): pfsync_state_import() cannot be called with the pf state lock held

• pty(4): vnode handling regression

• kqueue: too strict assertion

• pflog(4): NULL pointer dereference

• pflog(4): construction of corrupted mbufs

• sosplice(9): stack overflow while handling broadcast packets

• pf(4): lenient validation of port ranges

• wsmux(4): NULL pointer dereference due to a race

• uvm(9): deadlock while using a vnode as the backing store

• pf(4): missing call to NET_UNLOCK()

• pf(4): sleeping with locks held

• mmap: lenient validation of shared mappings

• kcov(4): race during remote section removal

• sysctl: lenient validation of integer values

• inet6(4): lenient validation in in6_ioctl_change_ifaddr()

• wsmux(4): use-after-free

• pty(4): machine lockup due to expensive retyping

• sysctl: lenient validation of net.inet.tcp.synbucketlimit

• tty(4): infinite sleep during close

• inet6(4): lenient validation in ip6_pullexthdr()

• inet6(4): mutating static routes

• pf(4): lenient validation in pf_rulecopyin()

• sosplice(9): socket lock already held

• vmm(4): out-of-bounds read

• VOP_LOCK(9): too strict lockcount assertion

• wsmux(4): use-after-free

• sosplice(9): unbound recursion

• shmctl: use-after-free due to sleeping

• kqueue: interrupt race

• pf(4): unhandled address families

• uvm(9): incorrect offset calculation in uvm_share(9)

• vmm(4): wrong virtual memory structure type

• tun(4): interface creation race

• ioctl: lenient validation of interface address

• shmctl: use-after-free due to sleeping

• bpf(4): missing reference counting

• unveil: do not increment ps_uvncount more than once per unveiled path

• sendto: lenient validation of socket address

• vmm(4): missing locking

• vmm(4): number of VMs counter overflow

• ip6(4): use-after-free in multicast route

• VOP_LOCK(9): threads not observing exclusive lock

• ip6(4): don’t use the flow of the first fragment to store ECN data

• acct: vn_close(9) race

• diskmap(4): side-effect in error path

• rtable_walk(9): stack exhausted due to recursion

• ftruncate: side-effect in error path

• sendto: missing presence check of RTF_MPLS flag

• sendto: comparison of non-canonical sockaddr

• ioctl: NULL pointer dereference in mrt_ioctl and mrt6_ioctl

• pckbc(4): command queue corruption

• wsmux(4): use-after-free in wsmux_do_ioctl()

• sendto: lenient validation in rt_mpls_set()

• bpf(4): unsigned integer wrap around

• vmm(4): printf() called from IPI-context

• bpf(4): negative input accepted in bpfioctl()

• sendto: lenient rtm_hdrlen validation

• wsmux(4): restrict the number of allowed devices

• rtable(4): out-of-bounds read in rtable_satoplen()

• wsmux(4): wrong lock flags

• ioctl: negative input accepted in spkrioctl()

• wsmux(4): missing locking

• recvmsg: double free of mbuf

• semop: use-after-free

• kernel: missing lock acquisition during page fault

• ioctl: use-after-free in wsmux_do_ioctl()

• ioctl: out of bounds access in wsmux_do_ioctl()

• unveil: NULL pointer dereference

• fcntl: use-after-free in lf_findoverlap()

• setsockopt: incorrect mbuf padding

• read: missing locking

• write: lenient IP packet validation

• mbuf(9): mutating read-only mbuf

• setrlimit: lock ordering problem in mi_switch()

• switch(4): many affected syscalls due to mbuf corruption

• setsockopt: integer overflow in ip_pcbopts() ERRATA-64-010

• recv: unexpected mbuf queue growth while sleeping ERRATA-64-009

• ioctl: reject inappropriate commands in wsmux_do_ioctl()

• getsockopt: errorneous switch fall through in rip_usrreq() affecting many socket related syscalls

• shutdown: integer overflow in unp_internalize() ERRATA-64-006

• ioctl: use-after-free in wsmux_do_ioctl()

• flock: double free

• poll: execution of address 0x0 caused by console redirection

• kqueue: use-after-free in kqueue_close()

• unveil: invalid call to VOP_UNLOCK()

• open: NULL pointer dereference while operating on cloned device

• mprotect: incorrect bounds check in uvm_map_protect()

• fchown: NULL pointer dereference while operating on cloned device

• recvmsg: double free of mbuf

• ftruncate: NULL pointer dereference while operating on cloned device

• kqueue: NULL pointer dereference