svn commit: r228033 - stable/9/sys/kern

Konstantin Belousov kib at FreeBSD.org
Sun Nov 27 18:56:04 UTC 2011


Author: kib
Date: Sun Nov 27 18:56:04 2011
New Revision: 228033
URL: http://svn.freebsd.org/changeset/base/228033

Log:
  MFC r227952:
  Fix a race between getvnode() dereferencing half-constructed file
  and dupfdopen().
  
  Approved by:	re (bz)

Modified:
  stable/9/sys/kern/vfs_syscalls.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/kern/vfs_syscalls.c
==============================================================================
--- stable/9/sys/kern/vfs_syscalls.c	Sun Nov 27 18:49:16 2011	(r228032)
+++ stable/9/sys/kern/vfs_syscalls.c	Sun Nov 27 18:56:04 2011	(r228033)
@@ -4342,7 +4342,20 @@ getvnode(struct filedesc *fdp, int fd, c
 		fp = fp_fromcap;
 	}
 #endif /* CAPABILITIES */
-	if (fp->f_vnode == NULL) {
+
+	/*
+	 * The file could be not of the vnode type, or it may be not
+	 * yet fully initialized, in which case the f_vnode pointer
+	 * may be set, but f_ops is still badfileops.  E.g.,
+	 * devfs_open() transiently create such situation to
+	 * facilitate csw d_fdopen().
+	 *
+	 * Dupfdopen() handling in kern_openat() installs the
+	 * half-baked file into the process descriptor table, allowing
+	 * other thread to dereference it. Guard against the race by
+	 * checking f_ops.
+	 */
+	if (fp->f_vnode == NULL || fp->f_ops == &badfileops) {
 		fdrop(fp, curthread);
 		return (EINVAL);
 	}


More information about the svn-src-all mailing list