CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/05/16 15:18:46
Modified files:
sys/kern : sysv_shm.c
Log message:
Fix sys_shmat().
The shminfo.shmseg could be changed via sysctl during sleeping malloc().
It only grows, so we access memory outside of allocated chunk within the
following 'for' loop. This issue was exposed by syzkaller [1].
Also, p->p_vmspace points to the ps_vmspace common to the whole process,
so p->p_vmspace->vm_shm could be already set by concurrent sys_shmat()
thread. We need to check this case, otherwise the pointer to
concurrently allocated segment will be overwritten.
1. https://syzkaller.appspot.com/bug?extid=9669e87e543ae1f05884
ok deraadt
