Date: Tue, 3 Feb 2015 10:29:41 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r278145 - head/sys/kern Message-ID: <201502031029.t13ATfPp065367@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Tue Feb 3 10:29:40 2015 New Revision: 278145 URL: https://svnweb.freebsd.org/changeset/base/278145 Log: Fix use after free in pipe_dtor(). PIPE_NAMED flag must be tested before pipeclose() is called, since for !PIPE_NAMED case, when peer is already closed, the pipe pair memory is freed. Submitted by: luke.tw@gmail.com PR: 197246 Tested by: pho MFC after: 3 days Modified: head/sys/kern/sys_pipe.c Modified: head/sys/kern/sys_pipe.c ============================================================================== --- head/sys/kern/sys_pipe.c Tue Feb 3 08:59:42 2015 (r278144) +++ head/sys/kern/sys_pipe.c Tue Feb 3 10:29:40 2015 (r278145) @@ -377,15 +377,16 @@ pipe_named_ctor(struct pipe **ppipe, str void pipe_dtor(struct pipe *dpipe) { + struct pipe *peer; ino_t ino; ino = dpipe->pipe_ino; + peer = (dpipe->pipe_state & PIPE_NAMED) != 0 ? dpipe->pipe_peer : NULL; funsetown(&dpipe->pipe_sigio); pipeclose(dpipe); - if (dpipe->pipe_state & PIPE_NAMED) { - dpipe = dpipe->pipe_peer; - funsetown(&dpipe->pipe_sigio); - pipeclose(dpipe); + if (peer != NULL) { + funsetown(&peer->pipe_sigio); + pipeclose(peer); } if (ino != 0 && ino != (ino_t)-1) free_unr(pipeino_unr, ino);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201502031029.t13ATfPp065367>