CVSROOT: /cvs Module name: src Changes by: [email protected] 2019/10/28 13:57:51
Modified files:
sys/kern : sysv_shm.c
Log message:
Copy in the user-supplied buffer in shmctl(2) before looking up the
shared memory segment. Otherwise, if copyin ends up sleeping it allows
another thread to remove the same segment leading to a use-after-free.
Feedback from kettenis@ and ok guenther@
Reported-by: [email protected]
