sem_remove(): fix the loop that compacts sem array on semaphores removal.
As written now, it copies random kernel memory from beyond the bounds of the array. Reported and tested by: pho Reviewed by: markj Sponsored by: The FreeBSD Foundation (kib) MFC after: 1 week Differential revision: https://reviews.freebsd.org/D23694
This commit is contained in:
parent
4cb6ea7e8e
commit
a7b61c0af1
@ -584,8 +584,9 @@ sem_remove(int semidx, struct ucred *cred)
|
||||
sema[i].u.__sem_base > semakptr->u.__sem_base)
|
||||
mtx_lock_flags(&sema_mtx[i], LOP_DUPOK);
|
||||
}
|
||||
for (i = semakptr->u.__sem_base - sem; i < semtot; i++)
|
||||
sem[i] = sem[i + semakptr->u.sem_nsems];
|
||||
for (i = semakptr->u.__sem_base - sem + semakptr->u.sem_nsems;
|
||||
i < semtot; i++)
|
||||
sem[i - semakptr->u.sem_nsems] = sem[i];
|
||||
for (i = 0; i < seminfo.semmni; i++) {
|
||||
if ((sema[i].u.sem_perm.mode & SEM_ALLOC) &&
|
||||
sema[i].u.__sem_base > semakptr->u.__sem_base) {
|
||||
|
Loading…
x
Reference in New Issue
Block a user