PERFORCE change 164527 for review

Edward Tomasz Napierala trasz at FreeBSD.org
Tue Jun 16 19:33:24 UTC 2009 

http://perforce.freebsd.org/chv.cgi?CH=164527

Change 164527 by trasz at trasz_victim on 2009/06/16 19:32:38

	Plug a memory ('struct gidinfo') leak introduced in a previous
	commit and fix another LOR.

Affected files ...

.. //depot/projects/soc2009/trasz_limits/sys/kern/kern_prot.c#8 edit

Differences ...

==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_prot.c#8 (text+ko) ====

@@ -733,6 +733,7 @@
 
 fail:
 	PROC_UNLOCK(p);
+	gifree(gip);
 	crfree(newcred);
 	return (error);
 }
@@ -783,6 +784,7 @@
 
 fail:
 	PROC_UNLOCK(p);
+	gifree(egip);
 	crfree(newcred);
 	return (error);
 }
@@ -813,12 +815,15 @@
 {
 	struct proc *p = td->td_proc;
 	struct ucred *newcred, *oldcred;
-	int i, error;
+	struct gidinfo *gidinfos[NGROUPS], *oldgidinfos[NGROUPS];
+	int i, error, oldngroups = 0;
 
 	if (ngrp > NGROUPS)
 		return (EINVAL);
 	AUDIT_ARG(groupset, groups, ngrp);
 	newcred = crget();
+	for (i = 0; i < ngrp; i++)
+		gidinfos[i] = gifind(groups[i]);
 	PROC_LOCK(p);
 	oldcred = p->p_ucred;
 
@@ -844,26 +849,39 @@
 		 * have the egid in the groups[0]).  We risk security holes
 		 * when running non-BSD software if we do not do the same.
 		 */
+		oldngroups = newcred->cr_ngroups - 1;
+		for (i = 0; i < oldngroups; i++)
+			oldgidinfos[i] = newcred->cr_gidinfos[i + 1];
 		newcred->cr_ngroups = 1;
-		for (i = 1; i < newcred->cr_ngroups; i++)
-			gifree(newcred->cr_gidinfos[i]);
 	} else {
-		for (i = 0; i < newcred->cr_ngroups; i++)
-			gifree(newcred->cr_gidinfos[i]);
+		oldngroups = newcred->cr_ngroups;
+		for (i = 0; i < oldngroups; i++)
+			oldgidinfos[i] = newcred->cr_gidinfos[i];
 		bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t));
 		newcred->cr_ngroups = ngrp;
 		for (i = 0; i < newcred->cr_ngroups; i++)
-			newcred->cr_gidinfos[i] = gifind(newcred->cr_groups[i]);
+			newcred->cr_gidinfos[i] = gidinfos[i];
 	}
 	setsugid(p);
 	p->p_ucred = newcred;
 	PROC_UNLOCK(p);
+	for (i = 0; i < oldngroups; i++)
+		gifree(oldgidinfos[i]);
+	/* Don't free gidinfos[]. */
 	crfree(oldcred);
+	for (i = 0; i < newcred->cr_ngroups; i++)
+		KASSERT(newcred->cr_gidinfos[i]->gi_gid == newcred->cr_groups[i], ("Whoops."));
 	return (0);
 
 fail:
 	PROC_UNLOCK(p);
+	for (i = 0; i < oldngroups; i++)
+		gifree(oldgidinfos[i]);
+	for (i = 0; i < ngrp; i++)
+		gifree(gidinfos[i]);
 	crfree(newcred);
+	for (i = 0; i < newcred->cr_ngroups; i++)
+		KASSERT(newcred->cr_gidinfos[i]->gi_gid == newcred->cr_groups[i], ("Whoops."));
 	return (error);
 }
 
@@ -995,6 +1013,7 @@
 
 fail:
 	PROC_UNLOCK(p);
+	gifree(egip);
 	crfree(newcred);
 	return (error);
 }
@@ -1150,6 +1169,7 @@
 
 fail:
 	PROC_UNLOCK(p);
+	gifree(egip);
 	crfree(newcred);
 	return (error);
 }

More information about the p4-projects mailing list