git: eef123d5fd97 - stable/13 - file: Avoid a read-after-free of fd tables in sysctl handlers
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 31 Mar 2022 15:32:55 UTC
The branch stable/13 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=eef123d5fd97ef6d5c236f6420c1901b7e19499f
commit eef123d5fd97ef6d5c236f6420c1901b7e19499f
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-03-17 16:54:37 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-03-31 15:32:00 +0000
file: Avoid a read-after-free of fd tables in sysctl handlers
Some loops access the fd table of a different process, and drop the
filedesc lock while iterating, so they check the table's refcount.
However, we access the table before the first iteration, in order to get
the number of table entries, and this access can be a use-after-free.
Fix the problem by checking the refcount before we start iterating.
Reported by: pho
Reviewed by: mjg
Sponsored by: The FreeBSD Foundation
(cherry picked from commit c70224229205c756bf1c2007a6b96b37126eb047)
---
sys/kern/kern_descrip.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index 03498d5a9ce9..de70be1a997f 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -4272,6 +4272,8 @@ sysctl_kern_file(SYSCTL_HANDLER_ARGS)
if (fdp == NULL)
continue;
FILEDESC_SLOCK(fdp);
+ if (refcount_load(&fdp->fd_refcnt) == 0)
+ goto nextproc;
lastfile = fdlastfile(fdp);
for (n = 0; refcount_load(&fdp->fd_refcnt) > 0 && n <= lastfile;
n++) {
@@ -4287,9 +4289,16 @@ sysctl_kern_file(SYSCTL_HANDLER_ARGS)
xf.xf_offset = foffset_get(fp);
xf.xf_flag = fp->f_flag;
error = SYSCTL_OUT(req, &xf, sizeof(xf));
- if (error)
+
+ /*
+ * There is no need to re-check the fdtable refcount
+ * here since the filedesc lock is not dropped in the
+ * loop body.
+ */
+ if (error != 0)
break;
}
+nextproc:
FILEDESC_SUNLOCK(fdp);
fddrop(fdp);
if (error)
@@ -4549,8 +4558,10 @@ kern_proc_filedesc_out(struct proc *p, struct sbuf *sb, ssize_t maxlen,
if (pwd != NULL)
pwd_drop(pwd);
FILEDESC_SLOCK(fdp);
+ if (refcount_load(&fdp->fd_refcnt) == 0)
+ goto skip;
lastfile = fdlastfile(fdp);
- for (i = 0; refcount_load(&fdp->fd_refcnt) > 0 && i <= lastfile; i++) {
+ for (i = 0; i <= lastfile; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
#ifdef CAPABILITIES
@@ -4565,9 +4576,10 @@ kern_proc_filedesc_out(struct proc *p, struct sbuf *sb, ssize_t maxlen,
* loop continues.
*/
error = export_file_to_sb(fp, i, &rights, efbuf);
- if (error != 0)
+ if (error != 0 || refcount_load(&fdp->fd_refcnt) == 0)
break;
}
+skip:
FILEDESC_SUNLOCK(fdp);
fail:
if (fdp != NULL)
@@ -4714,8 +4726,10 @@ sysctl_kern_proc_ofiledesc(SYSCTL_HANDLER_ARGS)
if (pwd != NULL)
pwd_drop(pwd);
FILEDESC_SLOCK(fdp);
+ if (refcount_load(&fdp->fd_refcnt) == 0)
+ goto skip;
lastfile = fdlastfile(fdp);
- for (i = 0; refcount_load(&fdp->fd_refcnt) > 0 && i <= lastfile; i++) {
+ for (i = 0; i <= lastfile; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
export_file_to_kinfo(fp, i, NULL, kif, fdp,
@@ -4724,9 +4738,10 @@ sysctl_kern_proc_ofiledesc(SYSCTL_HANDLER_ARGS)
kinfo_to_okinfo(kif, okif);
error = SYSCTL_OUT(req, okif, sizeof(*okif));
FILEDESC_SLOCK(fdp);
- if (error)
+ if (error != 0 || refcount_load(&fdp->fd_refcnt) == 0)
break;
}
+skip:
FILEDESC_SUNLOCK(fdp);
fddrop(fdp);
pddrop(pdp);