From 277b7cd47ea09980e8d3a02dbe5711df373048ad Mon Sep 17 00:00:00 2001 From: anton Date: Mon, 4 Feb 2019 07:04:29 +0000 Subject: When freeing the sem_undo structure in semundo_adjust(), update the caller supplied pointer. Otherwise, the caller is left with a dangling pointer that could lead to a use-after-free panic. ok millert@ visa@ Reported-by: syzbot+ac1d7685deab53b95ace@syzkaller.appspotmail.com Reported-by: syzbot+dbe8f002f8051f26f6fe@syzkaller.appspotmail.com --- sys/kern/sysv_sem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sys') diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index 4f72a7595ae..1abfda51c5c 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysv_sem.c,v 1.55 2019/01/25 00:19:26 millert Exp $ */ +/* $OpenBSD: sysv_sem.c,v 1.56 2019/02/04 07:04:28 anton Exp $ */ /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */ /* @@ -155,6 +155,7 @@ semundo_adjust(struct proc *p, struct sem_undo **supptr, int semid, int semnum, return (0); if (--suptr->un_cnt == 0) { + *supptr = NULL; SLIST_REMOVE(&semu_list, suptr, sem_undo, un_next); pool_put(&semu_pool, suptr); semutot--; -- cgit v1.2.3