github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/openbsd/found_bugs.md (about) 1 # Found bugs 2 3 Most latest bugs are reported by [syzbot](/docs/syzbot.md) to 4 [syzkaller-openbsd-bugs](https://groups.google.com/forum/#!forum/syzkaller-openbsd-bugs) 5 mailing list and are listed on the [dashboard](https://syzkaller.appspot.com/openbsd). 6 7 Newer bugs comes first. 8 9 - [pppx(4): variable confusion](https://marc.info/?l=openbsd-cvs&m=164087429912026&w=2) 10 11 - [wscons(4): double free](https://marc.info/?l=openbsd-cvs&m=164084727201849&w=2) 12 13 - [pppx(4): concurrent access of partially initialized softc](https://marc.info/?l=openbsd-cvs&m=164082533927977&w=2) 14 15 - [kcov(4): disallow file descriptor send/receive](https://marc.info/?l=openbsd-cvs&m=164076207103501&w=2) 16 17 - [pf(4): NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=164052742928360&w=2) 18 19 - [vnd(4): missing locking](https://marc.info/?l=openbsd-cvs&m=164025412309248&w=2) 20 21 - [sysctl: state changed after sleeping](https://marc.info/?l=openbsd-cvs&m=164021158325071&w=2) 22 23 - [mlock: double free](https://marc.info/?l=openbsd-cvs&m=164012526116825&w=2) 24 25 - [shmat: propagate error instead of panicking on allocation failure](https://marc.info/?l=openbsd-cvs&m=164006713618898&w=2) 26 27 - [vnd(4): state changed after sleeping](https://marc.info/?l=openbsd-cvs&m=164006704118875&w=2) 28 29 - [dt(4): too strict assertion](https://marc.info/?l=openbsd-cvs&m=164003929408900&w=2) 30 31 - [uvm(9): NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=163975066621151&w=2) 32 33 - [pf(4): division by zero](https://marc.info/?l=openbsd-cvs&m=163962008918189&w=2) 34 35 - [multicast(4): NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=163958385427172&w=2) 36 37 - [inet6(4): NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=163940579227165&w=2) 38 39 - [vmm(4): missing locking](https://marc.info/?l=openbsd-cvs&m=163886391905123&w=2) 40 41 - [vnd(4): unintended nesting of devices](https://marc.info/?l=openbsd-cvs&m=163379079731494&w=2) 42 43 - [route(4): NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=163103086932150&w=2) 44 45 - [vmm(4): missing locking](https://marc.info/?l=openbsd-cvs&m=163084761315043&w=2) 46 47 - [vmm(4): missing locking](https://marc.info/?l=openbsd-cvs&m=163066962908920&w=2) 48 49 - [pf(4): use-after-free](https://marc.info/?l=openbsd-cvs&m=159828307919706&w=2) 50 51 - [vmm(4): lock ordering problem](https://marc.info/?l=openbsd-cvs&m=163050503012931&w=2) 52 53 - [kqueue: missing locking](https://marc.info/?l=openbsd-cvs&m=162338580619514&w=2) 54 55 - [socketpair: lock ordering problem](https://marc.info/?l=openbsd-cvs&m=162092535010623&w=2) 56 57 - [tun(4): leaking device references](https://marc.info/?l=openbsd-cvs&m=161532031720186&w=2) 58 59 - [pf(4): incorrect handling of overlapping fragments](https://marc.info/?l=openbsd-cvs&m=161399910228130&w=2) [ERRATA-68-014](https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/014_pffrag.patch.sig) 60 61 - [if_addgroup(9): double free of interface groups](https://marc.info/?l=openbsd-cvs&m=161296812703484&w=2) 62 63 - [pf(4): `pfsync_state_import()` cannot be called with the pf state lock held](https://marc.info/?l=openbsd-cvs&m=161291389116274&w=2) 64 65 - [pty(4): vnode handling regression](https://marc.info/?l=openbsd-cvs&m=161244556906196&w=2) 66 67 - [kqueue: too strict assertion](https://marc.info/?l=openbsd-cvs&m=161171631607161&w=2) 68 69 - [pflog(4): NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=161118513631692&w=2) 70 71 - [pflog(4): construction of corrupted mbufs](https://marc.info/?l=openbsd-cvs&m=161109496230236&w=2) 72 73 - [sosplice(9): stack overflow while handling broadcast packets](https://marc.info/?l=openbsd-cvs&m=161020414013356&w=2) 74 75 - [pf(4): lenient validation of port ranges](https://marc.info/?l=openbsd-cvs&m=160814166024961&w=2) 76 77 - [wsmux(4): NULL pointer dereference due to a race](https://marc.info/?l=openbsd-cvs&m=160724154822411&w=2) 78 79 - [uvm(9): deadlock while using a vnode as the backing store](https://marc.info/?l=openbsd-cvs&m=160374171822863&w=2) 80 81 - [pf(4): missing call to `NET_UNLOCK()`](https://marc.info/?l=openbsd-cvs&m=160336954005266&w=2) 82 83 - [pf(4): sleeping with locks held](https://marc.info/?l=openbsd-cvs&m=160326770113745&w=2) 84 85 - [mmap: lenient validation of shared mappings](https://marc.info/?l=openbsd-cvs&m=160184875108341&w=2) 86 87 - [kcov(4): race during remote section removal](https://marc.info/?l=openbsd-cvs&m=159869048726340&w=2) 88 89 - [sysctl: lenient validation of integer values](https://marc.info/?l=openbsd-cvs&m=159772809607851&w=2) 90 91 - [inet6(4): lenient validation in `in6_ioctl_change_ifaddr()`](https://marc.info/?l=openbsd-cvs&m=159656077206976&w=2) 92 93 - [wsmux(4): use-after-free](https://marc.info/?l=openbsd-cvs&m=159600205025410&w=2) 94 95 - [pty(4): machine lockup due to expensive retyping](https://marc.info/?l=openbsd-cvs&m=159473720602522&w=2) 96 97 - [sysctl: lenient validation of `net.inet.tcp.synbucketlimit`](https://marc.info/?l=openbsd-cvs&m=159249199005451&w=2) 98 99 - [tty(4): infinite sleep during close](https://marc.info/?l=openbsd-cvs&m=158892312627663&w=2) 100 101 - [inet6(4): lenient validation in `ip6_pullexthdr()`](https://marc.info/?l=openbsd-cvs&m=158874895026819&w=2) 102 103 - [inet6(4): mutating static routes](https://marc.info/?l=openbsd-cvs&m=158754155106430&w=2) 104 105 - [pf(4): lenient validation in `pf_rulecopyin()`](https://marc.info/?l=openbsd-cvs&m=158733548829486&w=2) 106 107 - [sosplice(9): socket lock already held](https://marc.info/?l=openbsd-cvs&m=158670814206616&w=2) 108 109 - [vmm(4): out-of-bounds read](https://marc.info/?l=openbsd-cvs&m=158548168627386&w=2) 110 111 - [VOP_LOCK(9): too strict lockcount assertion](https://marc.info/?l=openbsd-cvs&m=158529591303747&w=2) 112 113 - [wsmux(4): use-after-free](https://marc.info/?l=openbsd-cvs&m=158503642507991&w=2) 114 115 - [sosplice(9): unbound recursion](https://marc.info/?l=openbsd-cvs&m=158396530407996&w=2) 116 117 - [shmctl: use-after-free due to sleeping](https://marc.info/?l=openbsd-cvs&m=158330910903824&w=2) 118 119 - [kqueue: interrupt race](https://marc.info/?l=openbsd-cvs&m=158191244405065&w=2) 120 121 - [pf(4): unhandled address families](https://marc.info/?l=openbsd-cvs&m=157852015714603&w=2) 122 123 - [uvm(9): incorrect offset calculation in `uvm_share(9)`](https://marc.info/?l=openbsd-cvs&m=157544812928708&w=2) 124 125 - [vmm(4): wrong virtual memory structure type](https://marc.info/?l=openbsd-cvs&m=157544746828404&w=2) 126 127 - [tun(4): interface creation race](https://marc.info/?l=openbsd-cvs&m=157412200313814&w=2) 128 129 - [ioctl: lenient validation of interface address](https://marc.info/?l=openbsd-cvs&m=157313316301838&w=2) 130 131 - [shmctl: use-after-free due to sleeping](https://marc.info/?l=openbsd-cvs&m=157229269222248&w=2) 132 133 - [bpf(4): missing reference counting](https://marc.info/?l=openbsd-cvs&m=157169894124474&w=2) 134 135 - [unveil: do not increment `ps_uvncount` more than once per unveiled path](https://marc.info/?l=openbsd-cvs&m=156995587324429&w=2) 136 137 - [sendto: lenient validation of socket address](https://marc.info/?l=openbsd-cvs&m=156923645331466&w=2) 138 139 - [vmm(4): missing locking](https://marc.info/?l=openbsd-cvs&m=156822096707365&w=2) 140 141 - [vmm(4): number of VMs counter overflow](https://marc.info/?l=openbsd-cvs&m=156814418919992&w=2) 142 143 - [ip6(4): use-after-free in multicast route](https://marc.info/?l=openbsd-cvs&m=156761352927972&w=2) 144 145 - [VOP_LOCK(9): threads not observing exclusive lock](https://marc.info/?l=openbsd-cvs&m=156684581030011&w=2) 146 147 - [ip6(4): don't use the flow of the first fragment to store ECN data](https://marc.info/?l=openbsd-cvs&m=156684528429904&w=2) 148 149 - [acct: `vn_close(9)` race](https://marc.info/?l=openbsd-cvs&m=156585417104888&w=2) 150 151 - [diskmap(4): side-effect in error path](https://marc.info/?l=openbsd-cvs&m=156499481623952&w=2) 152 153 - [rtable_walk(9): stack exhausted due to recursion](https://marc.info/?l=openbsd-cvs&m=156113711405665&w=2) 154 155 - [ftruncate: side-effect in error path](https://marc.info/?l=openbsd-cvs&m=156084321808087&w=2) 156 157 - [sendto: missing presence check of `RTF_MPLS` flag](https://marc.info/?l=openbsd-cvs&m=156041373709268&w=2) 158 159 - [sendto: comparison of non-canonical sockaddr](https://marc.info/?l=openbsd-cvs&m=156041354609207&w=2) 160 161 - [ioctl: NULL pointer dereference in `mrt_ioctl` and `mrt6_ioctl`](https://marc.info/?l=openbsd-cvs&m=155966468511915&w=2) 162 163 - [pckbc(4): command queue corruption](https://marc.info/?l=openbsd-cvs&m=155958041916637&w=2) 164 165 - [wsmux(4): use-after-free in `wsmux_do_ioctl()`](https://marc.info/?l=openbsd-cvs&m=155847224722518&w=2) 166 167 - [sendto: lenient validation in `rt_mpls_set()`](https://marc.info/?l=openbsd-cvs&m=155759323213186&w=2) 168 169 - [bpf(4): unsigned integer wrap around](https://marc.info/?l=openbsd-cvs&m=155621669009140&w=2) 170 171 - [vmm(4): `printf()` called from IPI-context](https://marc.info/?l=openbsd-cvs&m=155590526807190&w=2) 172 173 - [bpf(4): negative input accepted in `bpfioctl()`](https://marc.info/?l=openbsd-cvs&m=155430843501793&w=2) 174 175 - [sendto: lenient `rtm_hdrlen` validation](https://marc.info/?l=openbsd-cvs&m=155404645328879&w=2) 176 177 - [wsmux(4): restrict the number of allowed devices](https://marc.info/?l=openbsd-cvs&m=155393308902921&w=2) 178 179 - [rtable(4): out-of-bounds read in `rtable_satoplen()`](https://marc.info/?l=openbsd-cvs&m=155181289205879&w=2) 180 181 - [wsmux(4): wrong lock flags](https://marc.info/?l=openbsd-cvs&m=155068528608010&w=2) 182 183 - [ioctl: negative input accepted in `spkrioctl()`](https://marc.info/?l=openbsd-cvs&m=155064605025992&w=2) 184 185 - [wsmux(4): missing locking](https://marc.info/?l=openbsd-cvs&m=155051156715959&w=2) 186 187 - [recvmsg: double free of mbuf](https://marc.info/?l=openbsd-cvs&m=154931648202074&w=2) 188 189 - [semop: use-after-free](https://marc.info/?l=openbsd-cvs&m=154926389815162&w=2) 190 191 - [kernel: missing lock acquisition during page fault](https://marc.info/?l=openbsd-cvs&m=154917205425885&w=2) 192 193 - [ioctl: use-after-free in `wsmux_do_ioctl()`](https://marc.info/?l=openbsd-cvs&m=154900458511494&w=2) 194 195 - [ioctl: out of bounds access in `wsmux_do_ioctl()`](https://marc.info/?l=openbsd-cvs&m=154859038916770&w=2) 196 197 - [unveil: NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=154818960525456&w=2) 198 199 - [fcntl: use-after-free in `lf_findoverlap()`](https://marc.info/?l=openbsd-cvs&m=154809417426357&w=2) 200 201 - [setsockopt: incorrect mbuf padding](https://marc.info/?l=openbsd-cvs&m=154784437622409&w=2) 202 203 - [read: missing locking](https://marc.info/?l=openbsd-cvs&m=154715201702848&w=2) 204 205 - [write: lenient IP packet validation](https://marc.info/?l=openbsd-cvs&m=154684768026869&w=2) 206 207 - [mbuf(9): mutating read-only mbuf](https://marc.info/?l=openbsd-cvs&m=154684739226800&w=2) 208 209 - [setrlimit: lock ordering problem in `mi_switch()`](https://marc.info/?l=openbsd-cvs&m=154677960110593&w=2) 210 211 - [switch(4): many affected syscalls due to mbuf corruption](https://marc.info/?l=openbsd-cvs&m=154600758019977&w=2) 212 213 - [setsockopt: integer overflow in `ip_pcbopts()`](https://marc.info/?l=openbsd-cvs&m=154531248603735&w=2) [ERRATA-64-010](https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/010_pcbopts.patch.sig) 214 215 - [recv: unexpected mbuf queue growth while sleeping](https://marc.info/?l=openbsd-cvs&m=154506523901003&w=2) [ERRATA-64-009](https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/009_recvwait.patch.sig) 216 217 - [ioctl: reject inappropriate commands in `wsmux_do_ioctl()`](https://marc.info/?l=openbsd-cvs&m=154507410803526&w=2) 218 219 - [getsockopt: errorneous switch fall through in `rip_usrreq()` affecting many socket related syscalls](https://marc.info/?l=openbsd-cvs&m=154383186000797&w=2) 220 221 - [shutdown: integer overflow in `unp_internalize()`](https://marc.info/?l=openbsd-cvs&m=154282004307882&w=2) [ERRATA-64-006](https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/006_uipc.patch.sig) 222 223 - [ioctl: use-after-free in `wsmux_do_ioctl()`](https://marc.info/?l=openbsd-cvs&m=154269457228677&w=2) 224 225 - [flock: double free](https://marc.info/?l=openbsd-cvs&m=154070100731996&w=2) 226 227 - [poll: execution of address `0x0` caused by console redirection](https://marc.info/?l=openbsd-cvs&m=153552269821957&w=2) 228 229 - [kqueue: use-after-free in `kqueue_close()`](https://marc.info/?l=openbsd-cvs&m=153364550327224&w=2) 230 231 - [unveil: invalid call to `VOP_UNLOCK()`](https://marc.info/?l=openbsd-cvs&m=153318491427658&w=2) 232 233 - [open: NULL pointer dereference while operating on cloned device](https://marc.info/?l=openbsd-cvs&m=153297130613157&w=2) 234 235 - [mprotect: incorrect bounds check in `uvm_map_protect()`](https://marc.info/?l=openbsd-cvs&m=153227003430211&w=2) 236 237 - [fchown: NULL pointer dereference while operating on cloned device](https://marc.info/?l=openbsd-cvs&m=153224108724940&w=2) 238 239 - [recvmsg: double free of mbuf](https://marc.info/?l=openbsd-cvs&m=153067010015474&w=2) 240 241 - [ftruncate: NULL pointer dereference while operating on cloned device](https://marc.info/?l=openbsd-cvs&m=153062270701248&w=2) 242 243 - [kqueue: NULL pointer dereference](https://marc.info/?l=openbsd-cvs&m=152930020005260&w=2)