Module Name: src
Committed By: mrg
Date: Sun Jan 5 00:53:53 UTC 2014
Modified Files:
src/sys/kern: core_elf32.c
Log Message:
avoid use-after-free in *coredump().
fixes kernel crashes during coredump on sparc64.
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/sys/kern/core_elf32.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/core_elf32.c
diff -u src/sys/kern/core_elf32.c:1.42 src/sys/kern/core_elf32.c:1.43
--- src/sys/kern/core_elf32.c:1.42 Sat Jan 4 00:10:03 2014
+++ src/sys/kern/core_elf32.c Sun Jan 5 00:53:53 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: core_elf32.c,v 1.42 2014/01/04 00:10:03 dsl Exp $ */
+/* $NetBSD: core_elf32.c,v 1.43 2014/01/05 00:53:53 mrg Exp $ */
/*
* Copyright (c) 2001 Wasabi Systems, Inc.
@@ -40,7 +40,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: core_elf32.c,v 1.42 2014/01/04 00:10:03 dsl Exp $");
+__KERNEL_RCSID(1, "$NetBSD: core_elf32.c,v 1.43 2014/01/05 00:53:53 mrg Exp $");
#ifdef _KERNEL_OPT
#include "opt_coredump.h"
@@ -116,6 +116,7 @@ ELFNAMEEND(coredump)(struct lwp *l, stru
struct note_state ns;
struct note_buf *nb;
+ struct note_buf *nb_next;
psections = NULL;
@@ -256,8 +257,10 @@ ELFNAMEEND(coredump)(struct lwp *l, stru
out:
if (psections)
kmem_free(psections, psectionssize);
- for (; (nb = ns.ns_first) != NULL; ns.ns_first = nb->nb_next)
+ for (; (nb = ns.ns_first) != NULL; ns.ns_first = nb_next) {
+ nb_next = nb->nb_next;
kmem_free(nb, sizeof *nb);
+ }
return (error);
}
