[Midnightbsd-cvs] src [12214] trunk: The code which handles a close(2) of a descriptor created by
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Jul 24 18:51:59 EDT 2019
Revision: 12214
http://svnweb.midnightbsd.org/src/?rev=12214
Author: laffer1
Date: 2019-07-24 18:51:58 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
The code which handles a close(2) of a descriptor created by
posix_openpt(2) fails to undo the configuration which causes SIGIO to be
raised. This bug can lead to a write-after-free of kernel memory.
Modified Paths:
--------------
trunk/UPDATING
trunk/sys/kern/tty.c
Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING 2019-07-24 22:50:31 UTC (rev 12213)
+++ trunk/UPDATING 2019-07-24 22:51:58 UTC (rev 12214)
@@ -3,6 +3,10 @@
20190724:
Fix some buffer overflows in telnet client
+ The code which handles a close(2) of a descriptor created by
+ posix_openpt(2) fails to undo the configuration which causes SIGIO to be
+ raised. This bug can lead to a write-after-free of kernel memory.
+
20190417:
bring back deroff(1) to fix spell(1)
Modified: trunk/sys/kern/tty.c
===================================================================
--- trunk/sys/kern/tty.c 2019-07-24 22:50:31 UTC (rev 12213)
+++ trunk/sys/kern/tty.c 2019-07-24 22:51:58 UTC (rev 12214)
@@ -202,9 +202,6 @@
tp->t_flags |= TF_OPENCLOSE;
- /* Stop asynchronous I/O. */
- funsetown(&tp->t_sigio);
-
/* Remove console TTY. */
if (constty == tp)
constty_clear();
@@ -1093,6 +1090,9 @@
return;
}
+ /* Stop asynchronous I/O. */
+ funsetown(&tp->t_sigio);
+
/* TTY can be deallocated. */
dev = tp->t_dev;
tp->t_dev = NULL;
More information about the Midnightbsd-cvs
mailing list