From 7325737270ca9aa926f636422c2c9e7f93134ee7 Mon Sep 17 00:00:00 2001 From: anton Date: Fri, 1 Feb 2019 07:02:32 +0000 Subject: In wskbdclose(), use the same logic as in wskbdopen() to determine if the device was opened in write-only mode. Relying on me_evar being NULL does not work if the wskbd device was opened first followed by opening a wsmux device. Closing the wskbd device first at this stage would cause the wscons_event queue inherited from the wsmux device to be freed. This in turn could cause a panic if an ioctl(WSMUXIO_INJECTEVENT) command is issued to the wsmux device. ok deraadt@ visa@ Reported-by: syzbot+ed88256423ae8d882b8b@syzkaller.appspotmail.com --- sys/dev/wscons/wskbd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sys/dev') diff --git a/sys/dev/wscons/wskbd.c b/sys/dev/wscons/wskbd.c index a90917605ad..f53a2abd367 100644 --- a/sys/dev/wscons/wskbd.c +++ b/sys/dev/wscons/wskbd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wskbd.c,v 1.94 2018/11/20 19:33:44 anton Exp $ */ +/* $OpenBSD: wskbd.c,v 1.95 2019/02/01 07:02:31 anton Exp $ */ /* $NetBSD: wskbd.c,v 1.80 2005/05/04 01:52:16 augustss Exp $ */ /* @@ -850,9 +850,10 @@ wskbdclose(dev_t dev, int flags, int mode, struct proc *p) (struct wskbd_softc *)wskbd_cd.cd_devs[minor(dev)]; struct wseventvar *evar = sc->sc_base.me_evp; - if (evar == NULL) + if ((flags & (FREAD | FWRITE)) == FWRITE) { /* not open for read */ return (0); + } sc->sc_base.me_evp = NULL; sc->sc_translating = 1; -- cgit v1.2.3