diff options
author | anton <anton@cvs.openbsd.org> | 2019-02-01 07:02:32 +0000 |
---|---|---|
committer | anton <anton@cvs.openbsd.org> | 2019-02-01 07:02:32 +0000 |
commit | 7325737270ca9aa926f636422c2c9e7f93134ee7 (patch) | |
tree | d7512767b20e27647059afd9b075aff55f190891 /sys/dev | |
parent | 518dbc9a2a694a3c96dd7ea31385ba69d3c6d61e (diff) |
In wskbdclose(), use the same logic as in wskbdopen() to determine if
the device was opened in write-only mode. Relying on me_evar being NULL
does not work if the wskbd device was opened first followed by opening a
wsmux device. Closing the wskbd device first at this stage would cause
the wscons_event queue inherited from the wsmux device to be freed. This
in turn could cause a panic if an ioctl(WSMUXIO_INJECTEVENT) command is
issued to the wsmux device.
ok deraadt@ visa@
Reported-by: syzbot+ed88256423ae8d882b8b@syzkaller.appspotmail.com
Diffstat (limited to 'sys/dev')
-rw-r--r-- | sys/dev/wscons/wskbd.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/dev/wscons/wskbd.c b/sys/dev/wscons/wskbd.c index a90917605ad..f53a2abd367 100644 --- a/sys/dev/wscons/wskbd.c +++ b/sys/dev/wscons/wskbd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wskbd.c,v 1.94 2018/11/20 19:33:44 anton Exp $ */ +/* $OpenBSD: wskbd.c,v 1.95 2019/02/01 07:02:31 anton Exp $ */ /* $NetBSD: wskbd.c,v 1.80 2005/05/04 01:52:16 augustss Exp $ */ /* @@ -850,9 +850,10 @@ wskbdclose(dev_t dev, int flags, int mode, struct proc *p) (struct wskbd_softc *)wskbd_cd.cd_devs[minor(dev)]; struct wseventvar *evar = sc->sc_base.me_evp; - if (evar == NULL) + if ((flags & (FREAD | FWRITE)) == FWRITE) { /* not open for read */ return (0); + } sc->sc_base.me_evp = NULL; sc->sc_translating = 1; |