Skip to content

Commit

Permalink
Fix reference count overflow in mqueuefs.
Browse files Browse the repository at this point in the history 
Approved by:	so
Security:	FreeBSD-SA-19:15.mqueuefs
Security:	CVE-2019-5603
  • Loading branch information
@tetlowgm @fichtner
tetlowgm authored and fichtner committed Aug 1, 2019
1 parent 39bcb48 commit e28acae
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions sys/kern/uipc_mqueue.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2266,13 +2266,14 @@ sys_kmq_timedreceive(struct thread *td, struct kmq_timedreceive_args *uap)
if (uap->abs_timeout != NULL) {
error = copyin(uap->abs_timeout, &ets, sizeof(ets));
if (error != 0)
return (error);
goto out;
abs_timeout = &ets;
} else
abs_timeout = NULL;
waitok = !(fp->f_flag & O_NONBLOCK);
error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
uap->msg_prio, waitok, abs_timeout);
out:
fdrop(fp, td);
return (error);
}
Expand All @@ -2291,13 +2292,14 @@ sys_kmq_timedsend(struct thread *td, struct kmq_timedsend_args *uap)
if (uap->abs_timeout != NULL) {
error = copyin(uap->abs_timeout, &ets, sizeof(ets));
if (error != 0)
return (error);
goto out;
abs_timeout = &ets;
} else
abs_timeout = NULL;
waitok = !(fp->f_flag & O_NONBLOCK);
error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
uap->msg_prio, waitok, abs_timeout);
out:
fdrop(fp, td);
return (error);
}
Expand Down Expand Up @@ -2815,7 +2817,7 @@ freebsd32_kmq_timedreceive(struct thread *td,
if (uap->abs_timeout != NULL) {
error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
if (error != 0)
return (error);
goto out;
CP(ets32, ets, tv_sec);
CP(ets32, ets, tv_nsec);
abs_timeout = &ets;
Expand All @@ -2824,6 +2826,7 @@ freebsd32_kmq_timedreceive(struct thread *td,
waitok = !(fp->f_flag & O_NONBLOCK);
error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
uap->msg_prio, waitok, abs_timeout);
out:
fdrop(fp, td);
return (error);
}
Expand Down

0 comments on commit e28acae

Please sign in to comment.