[Midnightbsd-cvs] src [12215] stable/1.1: The code which handles a close(2) of a descriptor created by
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Jul 24 18:52:35 EDT 2019
Revision: 12215
http://svnweb.midnightbsd.org/src/?rev=12215
Author: laffer1
Date: 2019-07-24 18:52:34 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
The code which handles a close(2) of a descriptor created by
posix_openpt(2) fails to undo the configuration which causes SIGIO to be
raised. This bug can lead to a write-after-free of kernel memory.
Modified Paths:
--------------
stable/1.1/UPDATING
stable/1.1/sys/kern/tty.c
Modified: stable/1.1/UPDATING
===================================================================
--- stable/1.1/UPDATING 2019-07-24 22:51:58 UTC (rev 12214)
+++ stable/1.1/UPDATING 2019-07-24 22:52:34 UTC (rev 12215)
@@ -3,6 +3,10 @@
20190724:
Fix some buffer overflows in telnet client.
+ The code which handles a close(2) of a descriptor created by
+ posix_openpt(2) fails to undo the configuration which causes SIGIO to be
+ raised. This bug can lead to a write-after-free of kernel memory.
+
20190223:
Update mport package tool with version from CURRENT. Supports
origin lookups with /usr/libexec/mport.query now, required for latest
Modified: stable/1.1/sys/kern/tty.c
===================================================================
--- stable/1.1/sys/kern/tty.c 2019-07-24 22:51:58 UTC (rev 12214)
+++ stable/1.1/sys/kern/tty.c 2019-07-24 22:52:34 UTC (rev 12215)
@@ -202,9 +202,6 @@
tp->t_flags |= TF_OPENCLOSE;
- /* Stop asynchronous I/O. */
- funsetown(&tp->t_sigio);
-
/* Remove console TTY. */
if (constty == tp)
constty_clear();
@@ -1093,6 +1090,9 @@
return;
}
+ /* Stop asynchronous I/O. */
+ funsetown(&tp->t_sigio);
+
/* TTY can be deallocated. */
dev = tp->t_dev;
tp->t_dev = NULL;
More information about the Midnightbsd-cvs
mailing list