summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authoranton <anton@cvs.openbsd.org>2019-02-04 07:04:29 +0000
committeranton <anton@cvs.openbsd.org>2019-02-04 07:04:29 +0000
commit277b7cd47ea09980e8d3a02dbe5711df373048ad (patch)
tree0c5a449486397b7b0a1b0e5082f03d6e6f1f467d /sys
parent3b15efeb0df5899928837997cfeab2dccab1e422 (diff)
When freeing the sem_undo structure in semundo_adjust(), update the
caller supplied pointer. Otherwise, the caller is left with a dangling pointer that could lead to a use-after-free panic. ok millert@ visa@ Reported-by: syzbot+ac1d7685deab53b95ace@syzkaller.appspotmail.com Reported-by: syzbot+dbe8f002f8051f26f6fe@syzkaller.appspotmail.com
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/sysv_sem.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c
index 4f72a7595ae..1abfda51c5c 100644
--- a/sys/kern/sysv_sem.c
+++ b/sys/kern/sysv_sem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysv_sem.c,v 1.55 2019/01/25 00:19:26 millert Exp $ */
+/* $OpenBSD: sysv_sem.c,v 1.56 2019/02/04 07:04:28 anton Exp $ */
/* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */
/*
@@ -155,6 +155,7 @@ semundo_adjust(struct proc *p, struct sem_undo **supptr, int semid, int semnum,
return (0);
if (--suptr->un_cnt == 0) {
+ *supptr = NULL;
SLIST_REMOVE(&semu_list, suptr, sem_undo, un_next);
pool_put(&semu_pool, suptr);
semutot--;