Mailing List Archive

From:: Hans-Jörg Höxer <hshoexer@genua.de>
Subject:: psp(4): sc_tmr_map to NULL to avoid use-after-free
To:: <tech@openbsd.org>
Date:: Tue, 12 Aug 2025 11:21:25 +0200

Download raw body.

Thread

2025-08-12 09:21 Hans-Jörg Höxer:
psp(4): sc_tmr_map to NULL to avoid use-after-free
- 2025-08-12 19:17 Alexander Bluhm:
  psp(4): sc_tmr_map to NULL to avoid use-after-free

Hi,

to avoid use-after-free type problems set sc->sc_tmr_map to NULL after
destroying the map in the error path of psp_reinit().  Similar to
psp_shutdown().

ok?

Take care,
HJ.

--------------------------------------------------------------------------
commit 0c0e09fb5271fe7c3f0a93f638d316f6af8061d6
Author: Hans-Joerg Hoexer <hshoexer@genua.de>
Date:   Wed Jul 23 16:53:22 2025 +0200

    psp(4): sc_tmr_map to NULL to avoid use-after-free

diff --git a/sys/dev/ic/psp.c b/sys/dev/ic/psp.c
index 9345c3ed0d5..fb6f6026ad9 100644
--- a/sys/dev/ic/psp.c
+++ b/sys/dev/ic/psp.c
@@ -406,6 +406,7 @@ fail_2:
 	bus_dmamem_free(sc->sc_dmat, &sc->sc_tmr_seg, nsegs);
 fail_1:
 	bus_dmamap_destroy(sc->sc_dmat, sc->sc_tmr_map);
+	sc->sc_tmr_map = NULL;
 fail_0:
 	return (error);
 }

smime.p7s (5K)

2025-08-12 09:21 Hans-Jörg Höxer:
psp(4): sc_tmr_map to NULL to avoid use-after-free
- 2025-08-12 19:17 Alexander Bluhm:
  psp(4): sc_tmr_map to NULL to avoid use-after-free