this repo has no description
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

LKM: Fix a use after free

+12 -2
+12 -2
src/lkm/psynch/psynch_mutex.c
··· 34 34 wait_queue_head_t wq; 35 35 struct list_head waiting; 36 36 unsigned int refcount; 37 + bool underlock; // unlocked when no one was waiting 37 38 }; 38 39 typedef struct pthread_mutex pthread_mutex_t; 39 40 ··· 63 64 64 65 mutex = mutex_get(task, args.mutex); 65 66 66 - if (mutex->mgen != 0) 67 + // TODO: what if this destroys the mutex whilst someone else is waiting? 68 + if (mutex->mgen != 0 && mutex->underlock) 67 69 { 68 70 retval = mutex->mgen; 69 71 ··· 135 137 136 138 wake_up_interruptible(&mutex->wq); 137 139 mutex_put(task, mutex); 138 - } 140 + } else 141 + mutex->underlock = true; 139 142 140 143 spin_unlock(&task->mutex_wq_lock); 141 144 ··· 158 161 node->refcount = 1; 159 162 node->mgen = 0; 160 163 node->pointer = address; 164 + node->underlock = false; 161 165 162 166 init_waitqueue_head(&node->wq); 163 167 INIT_LIST_HEAD(&node->waiting); ··· 172 176 173 177 if (mutex->refcount == 0) 174 178 { 179 + debug_msg("Destroying mutex %p", mutex); 175 180 hash_del(&mutex->node); 176 181 kfree(mutex); 182 + } 183 + 184 + if (mutex->refcount < 0) 185 + { 186 + debug_msg("!!!!!!! refcount is %d", mutex->refcount); 177 187 } 178 188 }