diff options
author | anton <anton@cvs.openbsd.org> | 2019-02-04 07:04:29 +0000 |
---|---|---|
committer | anton <anton@cvs.openbsd.org> | 2019-02-04 07:04:29 +0000 |
commit | 277b7cd47ea09980e8d3a02dbe5711df373048ad (patch) | |
tree | 0c5a449486397b7b0a1b0e5082f03d6e6f1f467d /sys | |
parent | 3b15efeb0df5899928837997cfeab2dccab1e422 (diff) |
When freeing the sem_undo structure in semundo_adjust(), update the
caller supplied pointer. Otherwise, the caller is left with a dangling
pointer that could lead to a use-after-free panic.
ok millert@ visa@
Reported-by: syzbot+ac1d7685deab53b95ace@syzkaller.appspotmail.com
Reported-by: syzbot+dbe8f002f8051f26f6fe@syzkaller.appspotmail.com
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/sysv_sem.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index 4f72a7595ae..1abfda51c5c 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysv_sem.c,v 1.55 2019/01/25 00:19:26 millert Exp $ */ +/* $OpenBSD: sysv_sem.c,v 1.56 2019/02/04 07:04:28 anton Exp $ */ /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */ /* @@ -155,6 +155,7 @@ semundo_adjust(struct proc *p, struct sem_undo **supptr, int semid, int semnum, return (0); if (--suptr->un_cnt == 0) { + *supptr = NULL; SLIST_REMOVE(&semu_list, suptr, sem_undo, un_next); pool_put(&semu_pool, suptr); semutot--; |