37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
commit bc6b36682f188020ee4770fae1d41bde5b2c97bb
|
|
Author: Andrew G. Morgan <morgan@kernel.org>
|
|
Date: Wed May 3 19:18:36 2023 -0700
|
|
|
|
Correct the check of pthread_create()'s return value.
|
|
|
|
This function returns a positive number (errno) on error, so the code
|
|
wasn't previously freeing some memory in this situation.
|
|
|
|
Discussion:
|
|
|
|
https://stackoverflow.com/a/3581020/14760867
|
|
|
|
Credit for finding this bug in libpsx goes to David Gstir of
|
|
X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
|
|
audit of the libcap source code in April of 2023. The audit
|
|
was sponsored by the Open Source Technology Improvement Fund
|
|
(https://ostif.org/).
|
|
|
|
Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
|
|
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
diff --git a/psx/psx.c b/psx/psx.c
|
|
index d9c0485..65eb2aa 100644
|
|
--- a/psx/psx.c
|
|
+++ b/psx/psx.c
|
|
@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
|
|
pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
|
|
|
|
int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
|
|
- if (ret == -1) {
|
|
+ if (ret > 0) {
|
|
psx_new_state(_PSX_CREATE, _PSX_IDLE);
|
|
memset(starter, 0, sizeof(*starter));
|
|
free(starter);
|