projects / dragonfly.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 15ce538) | patch
kernel - Rejigger midistat functions to close a race
authorMatthew Dillon <dillon@apollo.backplane.com>
Wed, 21 Aug 2019 01:50:59 +0000 (18:50 -0700)
committerMatthew Dillon <dillon@apollo.backplane.com>
Wed, 21 Aug 2019 01:50:59 +0000 (18:50 -0700)
commitf70430d0e321043abdf733b90d80d93d06155acf
treec5652f4ccdb3a711f9cd54d861ef06a36d31d2bbtree | snapshot
parent15ce538f8de886623fb5c3600de5fa6de7db518dcommit | diff
kernel - Rejigger midistat functions to close a race

* Make sure lock has full coverage across midistat_open() and
  midistat_read().  The temporary drop of the lock in midistat_read()
  lead to a race which allows one to read kernel memory beyond the
  end of the sbuf buffer.

* Rejigger the code to remove the global offset and just use
  uio_offset, which also fixes the same race (but leave the
  lock coverage in place regardless).

Taken-From: FreeBSD
Security:       CVE-2019-5612
sys/dev/sound/midi/midi.c diff | blob | blame | history
DragonFly Project Source