svn commit: r278145 - head/sys/kern

[Konstantin Belousov]

Author: kib
Date: Tue Feb  3 10:29:40 2015
New Revision: 278145
URL: https://svnweb.freebsd.org/changeset/base/278145

Log:
  Fix use after free in pipe_dtor().  PIPE_NAMED flag must be tested
  before pipeclose() is called, since for !PIPE_NAMED case, when peer is
  already closed, the pipe pair memory is freed.
  
  Submitted by: luke...@gmail.com
  PR:   197246
  Tested by:    pho
  MFC after:    3 days

Modified:
  head/sys/kern/sys_pipe.c

Modified: head/sys/kern/sys_pipe.c
==============================================================================
--- head/sys/kern/sys_pipe.c    Tue Feb  3 08:59:42 2015        (r278144)
+++ head/sys/kern/sys_pipe.c    Tue Feb  3 10:29:40 2015        (r278145)
@@ -377,15 +377,16 @@ pipe_named_ctor(struct pipe **ppipe, str
 void
 pipe_dtor(struct pipe *dpipe)
 {
+       struct pipe *peer;
        ino_t ino;
 
        ino = dpipe->pipe_ino;
+       peer = (dpipe->pipe_state & PIPE_NAMED) != 0 ? dpipe->pipe_peer : NULL;
        funsetown(&dpipe->pipe_sigio);
        pipeclose(dpipe);
-       if (dpipe->pipe_state & PIPE_NAMED) {
-               dpipe = dpipe->pipe_peer;
-               funsetown(&dpipe->pipe_sigio);
-               pipeclose(dpipe);
+       if (peer != NULL) {
+               funsetown(&peer->pipe_sigio);
+               pipeclose(peer);
        }
        if (ino != 0 && ino != (ino_t)-1)
                free_unr(pipeino_unr, ino);
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"