Module Name: src
Committed By: maxv
Date: Thu Jun 25 16:19:07 UTC 2020
Modified Files:
src/sys/kern: sys_pipe.c
Log Message:
Fix NULL deref. The original code before Jaromir's cleanup had an #ifndef
block that wrongly contained the 'else' statement, causing the NULL check
to have no effect.
Reported-by: syzbot+c41bbfe5a7ff07bf0...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.149 -r1.150 src/sys/kern/sys_pipe.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/sys_pipe.c
diff -u src/sys/kern/sys_pipe.c:1.149 src/sys/kern/sys_pipe.c:1.150
--- src/sys/kern/sys_pipe.c:1.149 Thu Jun 25 14:22:18 2020
+++ src/sys/kern/sys_pipe.c Thu Jun 25 16:19:07 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: sys_pipe.c,v 1.149 2020/06/25 14:22:18 jdolecek Exp $ */
+/* $NetBSD: sys_pipe.c,v 1.150 2020/06/25 16:19:07 maxv Exp $ */
/*-
* Copyright (c) 2003, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_pipe.c,v 1.149 2020/06/25 14:22:18 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_pipe.c,v 1.150 2020/06/25 16:19:07 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -778,7 +778,8 @@ pipe_ioctl(file_t *fp, u_long cmd, void
pipe = pipe->pipe_peer;
if (pipe == NULL)
*(int *)data = 0;
- *(int *)data = pipe->pipe_buffer.cnt;
+ else
+ *(int *)data = pipe->pipe_buffer.cnt;
mutex_exit(lock);
return (0);
