diff options
| author |   anton <anton@openbsd.org> | 2019-02-04 07:04:28 +0000 |
|---|---|---|
| committer | anton <anton@openbsd.org> | 2019-02-04 07:04:28 +0000 |
| commit | 83bdf79e8cec352614c1f973cd8a930f2b8c96c1 (patch) | |
| tree | e5f65d50ca868cbdd41d4ccee3d4232151cadedb | |
| parent | Remove obsolete "Protocol" from commented out examples. (diff) | |
| download | wireguard-openbsd-83bdf79e8cec352614c1f973cd8a930f2b8c96c1.tar.xz wireguard-openbsd-83bdf79e8cec352614c1f973cd8a930f2b8c96c1.zip | |
When freeing the sem_undo structure in semundo_adjust(), update the
caller supplied pointer. Otherwise, the caller is left with a dangling
pointer that could lead to a use-after-free panic.
ok millert@ visa@
Reported-by: syzbot+ac1d7685deab53b95ace@syzkaller.appspotmail.com
Reported-by: syzbot+dbe8f002f8051f26f6fe@syzkaller.appspotmail.com
| -rw-r--r-- | sys/kern/sysv_sem.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index 4f72a7595ae..1abfda51c5c 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysv_sem.c,v 1.55 2019/01/25 00:19:26 millert Exp $ */ +/* $OpenBSD: sysv_sem.c,v 1.56 2019/02/04 07:04:28 anton Exp $ */ /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */ /* @@ -155,6 +155,7 @@ semundo_adjust(struct proc *p, struct sem_undo **supptr, int semid, int semnum, return (0); if (--suptr->un_cnt == 0) { + *supptr = NULL; SLIST_REMOVE(&semu_list, suptr, sem_undo, un_next); pool_put(&semu_pool, suptr); semutot--; |