CVSROOT: /cvs
Module name: src
Changes by: o...@cvs.openbsd.org 2009/06/26 14:26:02
Modified files:
sys/uvm : uvm_pdaemon.c
Log message:
Fix a use after free in the pagedaemon.
specifically, if we free a RELEASED anon, then we will first of all
remove the page from the anon, free the anon, then get the next page
relative to the anon page, then call uvm_pagefree().
The problem is that while we zero out anon->an_page, we do not zero out
pg->uanon. Now, uvm_pagefree() if pg->uanon is not NULL zeroes out some
variables in the struct for us. One of the backed out commits added more
zeroing there which would have exacerbated this use after free under
heavy paging (which was where we saw bugs). Fix this by zeroing out
pg->uanon.
I have looked for other similar cases, but have not found any as of yet.
been in snaps a while, "please do commit that" deraadt@
