[src/trunk]: src/sys/kern avoid use-after-free in *coredump().

[mrg <mrg%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a0b40a72e0f6
branches:  trunk
changeset: 325746:a0b40a72e0f6
user:      mrg <mrg%NetBSD.org@localhost>
date:      Sun Jan 05 00:53:53 2014 +0000

description:
avoid use-after-free in *coredump().
fixes kernel crashes during coredump on sparc64.

diffstat:

 sys/kern/core_elf32.c |  9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diffs (38 lines):

diff -r 93c7e67961ab -r a0b40a72e0f6 sys/kern/core_elf32.c
--- a/sys/kern/core_elf32.c     Sat Jan 04 21:42:42 2014 +0000
+++ b/sys/kern/core_elf32.c     Sun Jan 05 00:53:53 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: core_elf32.c,v 1.42 2014/01/04 00:10:03 dsl Exp $      */
+/*     $NetBSD: core_elf32.c,v 1.43 2014/01/05 00:53:53 mrg Exp $      */
 
 /*
  * Copyright (c) 2001 Wasabi Systems, Inc.
@@ -40,7 +40,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: core_elf32.c,v 1.42 2014/01/04 00:10:03 dsl Exp $");
+__KERNEL_RCSID(1, "$NetBSD: core_elf32.c,v 1.43 2014/01/05 00:53:53 mrg Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_coredump.h"
@@ -116,6 +116,7 @@
 
        struct note_state ns;
        struct note_buf *nb;
+       struct note_buf *nb_next;
 
        psections = NULL;
 
@@ -256,8 +257,10 @@
   out:
        if (psections)
                kmem_free(psections, psectionssize);
-       for (; (nb = ns.ns_first) != NULL; ns.ns_first = nb->nb_next)
+       for (; (nb = ns.ns_first) != NULL; ns.ns_first = nb_next) {
+               nb_next = nb->nb_next;
                kmem_free(nb, sizeof *nb);
+       }
        return (error);
 }