Author: kib Date: Sat Feb 15 23:19:23 2020 New Revision: 357984 URL: https://svnweb.freebsd.org/changeset/base/357984
Log: sem_remove(): fix the loop that compacts sem array on semaphores removal. As written now, it copies random kernel memory from beyond the bounds of the array. Reported and tested by: pho Reviewed by: markj Sponsored by: The FreeBSD Foundation (kib) MFC after: 1 week Differential revision: https://reviews.freebsd.org/D23694 Modified: head/sys/kern/sysv_sem.c Modified: head/sys/kern/sysv_sem.c ============================================================================== --- head/sys/kern/sysv_sem.c Sat Feb 15 23:18:02 2020 (r357983) +++ head/sys/kern/sysv_sem.c Sat Feb 15 23:19:23 2020 (r357984) @@ -584,8 +584,9 @@ sem_remove(int semidx, struct ucred *cred) sema[i].u.__sem_base > semakptr->u.__sem_base) mtx_lock_flags(&sema_mtx[i], LOP_DUPOK); } - for (i = semakptr->u.__sem_base - sem; i < semtot; i++) - sem[i] = sem[i + semakptr->u.sem_nsems]; + for (i = semakptr->u.__sem_base - sem + semakptr->u.sem_nsems; + i < semtot; i++) + sem[i - semakptr->u.sem_nsems] = sem[i]; for (i = 0; i < seminfo.semmni; i++) { if ((sema[i].u.sem_perm.mode & SEM_ALLOC) && sema[i].u.__sem_base > semakptr->u.__sem_base) { _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
