Re: CVS commit: src/sys/kern

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 01/10/2019 à 18:36, Chuck Silvers a écrit :
> Module Name:	src
> Committed By:	chs
> Date:		Tue Oct  1 16:36:58 UTC 2019
>
> Modified Files:
> 	src/sys/kern: sysv_shm.c
>
> Log Message:
> in shmdt(), wait until shmat() completes before detaching.
>
> Reported-by: syzbot+8f470a1bf36b47ae0040%syzkaller.appspotmail.com@localhost
> Reported-by: syzbot+45810b4c41ed65d9148d%syzkaller.appspotmail.com@localhost
>
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.138 -r1.139 src/sys/kern/sysv_shm.c
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.

Looks like this line is missing

diff --git a/sys/kern/sysv_shm.c b/sys/kern/sysv_shm.c
index b090d1bc4262..c52cb65ec768 100644
--- a/sys/kern/sysv_shm.c
+++ b/sys/kern/sysv_shm.c
@@ -259,6 +259,7 @@ shmmap_getprivate(struct proc *p)
 		shmmap_se = kmem_alloc(sizeof(struct shmmap_entry), KM_SLEEP);
 		shmmap_se->va = oshmmap_se->va;
 		shmmap_se->shmid = oshmmap_se->shmid;
+		shmmap_se->busy = oshmmap_se->busy;
 		SLIST_INSERT_HEAD(&shmmap_s->entries, shmmap_se, next);
 	}
 	shmmap_s->nitems = oshmmap_s->nitems;

The access made from the caller is not initialized

353 	if (shmmap_se->busy) {