diff options
| author |   anton <anton@openbsd.org> | 2019-02-01 07:02:31 +0000 |
|---|---|---|
| committer | anton <anton@openbsd.org> | 2019-02-01 07:02:31 +0000 |
| commit | 77ada9744473f0a4789e493e59a470d02da7cac3 (patch) | |
| tree | 06824faf3ed4999b41c3e61715cf9ee37e33bdfa | |
| parent | update currency exchange rates; (diff) | |
| download | wireguard-openbsd-77ada9744473f0a4789e493e59a470d02da7cac3.tar.xz wireguard-openbsd-77ada9744473f0a4789e493e59a470d02da7cac3.zip | |
In wskbdclose(), use the same logic as in wskbdopen() to determine if
the device was opened in write-only mode. Relying on me_evar being NULL
does not work if the wskbd device was opened first followed by opening a
wsmux device. Closing the wskbd device first at this stage would cause
the wscons_event queue inherited from the wsmux device to be freed. This
in turn could cause a panic if an ioctl(WSMUXIO_INJECTEVENT) command is
issued to the wsmux device.
ok deraadt@ visa@
Reported-by: syzbot+ed88256423ae8d882b8b@syzkaller.appspotmail.com
| -rw-r--r-- | sys/dev/wscons/wskbd.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/dev/wscons/wskbd.c b/sys/dev/wscons/wskbd.c index a90917605ad..f53a2abd367 100644 --- a/sys/dev/wscons/wskbd.c +++ b/sys/dev/wscons/wskbd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wskbd.c,v 1.94 2018/11/20 19:33:44 anton Exp $ */ +/* $OpenBSD: wskbd.c,v 1.95 2019/02/01 07:02:31 anton Exp $ */ /* $NetBSD: wskbd.c,v 1.80 2005/05/04 01:52:16 augustss Exp $ */ /* @@ -850,9 +850,10 @@ wskbdclose(dev_t dev, int flags, int mode, struct proc *p) (struct wskbd_softc *)wskbd_cd.cd_devs[minor(dev)]; struct wseventvar *evar = sc->sc_base.me_evp; - if (evar == NULL) + if ((flags & (FREAD | FWRITE)) == FWRITE) { /* not open for read */ return (0); + } sc->sc_base.me_evp = NULL; sc->sc_translating = 1; |