sysctl KERN_SYSVIPC_SEM_INFO was leaking the sem_base kernel pointer to userland.

mirror of https://github.com/openbsd/src.git synced 2026-06-18 15:23:33 +02:00

This was used by ipcs(1), so change to use sem_ctime instead to decide if it
should show the semaphore.

Found independently by me and a report from Bruce Dang of Calif.io (minutes apart).
ok deraadt

This commit is contained in:

dgl

2026-04-16 07:03:15 +00:00

parent 8d7a3d558a

commit 76d3556486

2 changed files with 4 additions and 3 deletions

									
										sys/kern/kern_sysctl.c
									
		+2
		-1
	
												View File
												
				@@ -1,4 +1,4 @@

				/*	$OpenBSD: kern_sysctl.c,v 1.488 2026/04/15 19:29:02 deraadt Exp $	*/

				/*	$OpenBSD: kern_sysctl.c,v 1.489 2026/04/16 07:03:15 dgl Exp $	*/

				/*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/

				/*-

				@@ -2763,6 +2763,7 @@ sysctl_sysvipc(int *name, u_int namelen, void *where, size_t *sizep)

									    dssize);

								else

									memset(&semsi->semids[i], 0, dssize);

								semsi->semids[i].sem_base = NULL;

								break;

				#endif

				#ifdef SYSVSHM

									
										usr.bin/ipcs/ipcs.c
									
		+2
		-2
	
												View File
												
				@@ -1,4 +1,4 @@

				/*	$OpenBSD: ipcs.c,v 1.27 2019/06/28 13:35:01 deraadt Exp $	*/

				/*	$OpenBSD: ipcs.c,v 1.28 2026/04/16 07:03:15 dgl Exp $	*/

				/*	$NetBSD: ipcs.c,v 1.25 2000/06/16 03:58:20 simonb Exp $	*/

				/*-

				@@ -630,7 +630,7 @@ sem_sysctl(void)

						for (i = 0; i < semsi->seminfo.semmni; i++) {

							struct semid_ds *semaptr = &semsi->semids[i];

							if (semaptr->sem_base != NULL)

							if (semaptr->sem_ctime != 0)

								show_seminfo(semaptr->sem_otime,

								    semaptr->sem_ctime,

								    IXSEQ_TO_IPCID(i, semaptr->sem_perm),