Author: dchagin
Date: Mon May 1 12:25:37 2017
New Revision: 317645
URL: https://svnweb.freebsd.org/changeset/base/317645
Log:
Fix NULL pointer dereference in futex_wake_op() in case when the same
address specified for arguments uaddr and uaddr2.
PR: 218987
Reported by: luke.tw gmail
MFC after: 1 week
Modified:
head/sys/compat/linux/linux_futex.c
Modified: head/sys/compat/linux/linux_futex.c
==============================================================================
--- head/sys/compat/linux/linux_futex.c Mon May 1 10:12:59 2017
(r317644)
+++ head/sys/compat/linux/linux_futex.c Mon May 1 12:25:37 2017
(r317645)
@@ -952,6 +952,11 @@ retry1:
args->uaddr, args->val, args->uaddr2, args->val3,
args->timeout);
+ if (args->uaddr == args->uaddr2) {
+ LIN_SDT_PROBE1(futex, linux_sys_futex, return, EINVAL);
+ return (EINVAL);
+ }
+
retry2:
error = futex_get(args->uaddr, NULL, &f, flags |
FUTEX_DONTLOCK);
if (error) {
@@ -959,9 +964,7 @@ retry2:
return (error);
}
- if (args->uaddr != args->uaddr2)
- error = futex_get(args->uaddr2, NULL, &f2,
- flags | FUTEX_DONTLOCK);
+ error = futex_get(args->uaddr2, NULL, &f2, flags |
FUTEX_DONTLOCK);
if (error) {
futex_put(f, NULL);
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
