svn commit: r350282 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern

Wed, 24 Jul 2019 05:53:30 -0700 

Author: gordon
Date: Wed Jul 24 12:53:06 2019
New Revision: 350282
URL: https://svnweb.freebsd.org/changeset/base/350282

Log:
  Fix pts write-after-free.
  
  Approved by:  so
  Security:     FreeBSD-SA-19:13.pts
  Security:     CVE-2019-5606

Modified:
  releng/11.2/sys/kern/tty.c
  releng/11.3/sys/kern/tty.c
  releng/12.0/sys/kern/tty.c

Modified: releng/11.2/sys/kern/tty.c
==============================================================================
--- releng/11.2/sys/kern/tty.c  Wed Jul 24 12:51:52 2019        (r350281)
+++ releng/11.2/sys/kern/tty.c  Wed Jul 24 12:53:06 2019        (r350282)
@@ -230,9 +230,6 @@ ttydev_leave(struct tty *tp)
 
        tp->t_flags |= TF_OPENCLOSE;
 
-       /* Stop asynchronous I/O. */
-       funsetown(&tp->t_sigio);
-
        /* Remove console TTY. */
        if (constty == tp)
                constty_clear();
@@ -1122,6 +1119,9 @@ tty_rel_free(struct tty *tp)
                tty_unlock(tp);
                return;
        }
+
+       /* Stop asynchronous I/O. */
+       funsetown(&tp->t_sigio);
 
        /* TTY can be deallocated. */
        dev = tp->t_dev;

Modified: releng/11.3/sys/kern/tty.c
==============================================================================
--- releng/11.3/sys/kern/tty.c  Wed Jul 24 12:51:52 2019        (r350281)
+++ releng/11.3/sys/kern/tty.c  Wed Jul 24 12:53:06 2019        (r350282)
@@ -230,9 +230,6 @@ ttydev_leave(struct tty *tp)
 
        tp->t_flags |= TF_OPENCLOSE;
 
-       /* Stop asynchronous I/O. */
-       funsetown(&tp->t_sigio);
-
        /* Remove console TTY. */
        if (constty == tp)
                constty_clear();
@@ -1122,6 +1119,12 @@ tty_rel_free(struct tty *tp)
                tty_unlock(tp);
                return;
        }
+
+       /* Stop asynchronous I/O. */
+       funsetown(&tp->t_sigio);
+
+       /* Stop asynchronous I/O. */
+       funsetown(&tp->t_sigio);
 
        /* TTY can be deallocated. */
        dev = tp->t_dev;

Modified: releng/12.0/sys/kern/tty.c
==============================================================================
--- releng/12.0/sys/kern/tty.c  Wed Jul 24 12:51:52 2019        (r350281)
+++ releng/12.0/sys/kern/tty.c  Wed Jul 24 12:53:06 2019        (r350282)
@@ -231,9 +231,6 @@ ttydev_leave(struct tty *tp)
 
        tp->t_flags |= TF_OPENCLOSE;
 
-       /* Stop asynchronous I/O. */
-       funsetown(&tp->t_sigio);
-
        /* Remove console TTY. */
        if (constty == tp)
                constty_clear();
@@ -1123,6 +1120,9 @@ tty_rel_free(struct tty *tp)
                tty_unlock(tp);
                return;
        }
+
+       /* Stop asynchronous I/O. */
+       funsetown(&tp->t_sigio);
 
        /* TTY can be deallocated. */
        dev = tp->t_dev;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to