summaryrefslogtreecommitdiff
path: root/sys/dev
diff options
context:
space:
mode:
authoranton <anton@cvs.openbsd.org>2019-02-01 07:02:32 +0000
committeranton <anton@cvs.openbsd.org>2019-02-01 07:02:32 +0000
commit7325737270ca9aa926f636422c2c9e7f93134ee7 (patch)
treed7512767b20e27647059afd9b075aff55f190891 /sys/dev
parent518dbc9a2a694a3c96dd7ea31385ba69d3c6d61e (diff)
In wskbdclose(), use the same logic as in wskbdopen() to determine if
the device was opened in write-only mode. Relying on me_evar being NULL does not work if the wskbd device was opened first followed by opening a wsmux device. Closing the wskbd device first at this stage would cause the wscons_event queue inherited from the wsmux device to be freed. This in turn could cause a panic if an ioctl(WSMUXIO_INJECTEVENT) command is issued to the wsmux device. ok deraadt@ visa@ Reported-by: syzbot+ed88256423ae8d882b8b@syzkaller.appspotmail.com
Diffstat (limited to 'sys/dev')
-rw-r--r--sys/dev/wscons/wskbd.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/dev/wscons/wskbd.c b/sys/dev/wscons/wskbd.c
index a90917605ad..f53a2abd367 100644
--- a/sys/dev/wscons/wskbd.c
+++ b/sys/dev/wscons/wskbd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: wskbd.c,v 1.94 2018/11/20 19:33:44 anton Exp $ */
+/* $OpenBSD: wskbd.c,v 1.95 2019/02/01 07:02:31 anton Exp $ */
/* $NetBSD: wskbd.c,v 1.80 2005/05/04 01:52:16 augustss Exp $ */
/*
@@ -850,9 +850,10 @@ wskbdclose(dev_t dev, int flags, int mode, struct proc *p)
(struct wskbd_softc *)wskbd_cd.cd_devs[minor(dev)];
struct wseventvar *evar = sc->sc_base.me_evp;
- if (evar == NULL)
+ if ((flags & (FREAD | FWRITE)) == FWRITE) {
/* not open for read */
return (0);
+ }
sc->sc_base.me_evp = NULL;
sc->sc_translating = 1;