Correct the check of pthread_create()'s return value.

This function returns a positive number (errno) on error, so the code wasn't previously freeing some memory in this situation. Discussion: https://stackoverflow.com/a/3581020/14760867 Credit for finding this bug in libpsx goes to David Gstir of X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit of the libcap source code in April of 2023. The audit was sponsored by the Open Source Technology Improvement Fund (https://ostif.org/). Audit ref: LCAP-CR-23-01 (CVE-2023-2602) Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
AndrewGMorgan · May 10, 2023 · bc6b366 · bc6b366
1 parent 819f941
commit bc6b366
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/psx/psx.c b/psx/psx.c
@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
     pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
 
     int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
-    if (ret == -1) {
+    if (ret > 0) {
 	psx_new_state(_PSX_CREATE, _PSX_IDLE);
 	memset(starter, 0, sizeof(*starter));
 	free(starter);