kern/126368: Running ktrace/kdump in jail leads to stale jails
Mateusz Guzik
mjguzik at gmail.com
Sun Aug 10 00:13:15 UTC 2008
On Fri, Aug 08, 2008 at 06:43:38PM +0000, Bjoern A. Zeeb wrote:
> >The following reply was made to PR kern/126368; it has been noted by GNATS.
> >
> >From: "Mateusz Guzik" <mjguzik at gmail.com>
> >To: bug-followup at freebsd.org
> >Cc:
> >Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails
> >Date: Fri, 8 Aug 2008 19:30:22 +0200
> >
> >Err, I made a mistake. crfree() will be called in case of failure
> >(loop starting at line 959), so the following patch should be ok:
> >
> >--- sys/kern/kern_ktrace.c.orig 2008-08-08 16:37:45.000000000 +0200
> >+++ sys/kern/kern_ktrace.c 2008-08-08 19:25:16.000000000 +0200
> >@@ -933,12 +933,14 @@
> > error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
> > VOP_UNLOCK(vp, 0, td);
> > vn_finished_write(mp);
> > vrele(vp);
> > VFS_UNLOCK_GIANT(vfslocked);
> >- if (!error)
> >+ if (!error) {
> >+ crfree(cred);
> > return;
> >+ }
>
> that sounds more plausible w/o seeing the surrounding code. I had
> wondered already earlier today when I was pointed at.
>
> I'll look into this.
>
Sorry for the noise -- the first patch was right. ;)
ktr_writerequest() is called multiple times and it _always_ calls
crhold(), so crfree() must be called before it returns (even in case of
failure).
Also, in this function one can find:
[..]
crhold(cred)
[..]
if (vp == NULL) {
KASSERT(cred == NULL, ("ktr_writerequest: cred != NULL"));
return;
}
`Normal' kernel might leak credentials in this case, so I believe crfree() should be added there too.
Thanks, and again, sorry for the noise.
--
Mateusz Guzik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kern_ktrace.diff
Type: text/x-diff
Size: 863 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080810/713d8f62/kern_ktrace.bin
More information about the freebsd-jail
mailing list