svn commit: r262309 - head/sys/kern
Mateusz Guzik
mjg at FreeBSD.org
Fri Feb 21 22:29:10 UTC 2014
Author: mjg
Date: Fri Feb 21 22:29:09 2014
New Revision: 262309
URL: http://svnweb.freebsd.org/changeset/base/262309
Log:
Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading
to use-after-free.
fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but
kern_proc_{o,}filedesc_out only checked for hold count.
MFC after: 3 days
Modified:
head/sys/kern/kern_descrip.c
Modified: head/sys/kern/kern_descrip.c
==============================================================================
--- head/sys/kern/kern_descrip.c Fri Feb 21 21:54:36 2014 (r262308)
+++ head/sys/kern/kern_descrip.c Fri Feb 21 22:29:09 2014 (r262309)
@@ -3056,7 +3056,7 @@ sysctl_kern_proc_ofiledesc(SYSCTL_HANDLE
if (fdp->fd_jdir != NULL)
export_vnode_for_osysctl(fdp->fd_jdir, KF_FD_TYPE_JAIL, kif,
fdp, req);
- for (i = 0; i < fdp->fd_nfiles; i++) {
+ for (i = 0; fdp->fd_refcnt > 0 && i < fdp->fd_nfiles; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
bzero(kif, sizeof(*kif));
@@ -3424,7 +3424,7 @@ kern_proc_filedesc_out(struct proc *p,
export_fd_to_sb(data, KF_TYPE_VNODE, KF_FD_TYPE_JAIL,
FREAD, -1, -1, NULL, efbuf);
}
- for (i = 0; i < fdp->fd_nfiles; i++) {
+ for (i = 0; fdp->fd_refcnt > 0 && i < fdp->fd_nfiles; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
data = NULL;
More information about the svn-src-all
mailing list