svn commit: r262309 - head/sys/kern
John Baldwin
jhb at freebsd.org
Tue Feb 25 18:47:22 UTC 2014
On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote:
> Author: mjg
> Date: Fri Feb 21 22:29:09 2014
> New Revision: 262309
> URL: http://svnweb.freebsd.org/changeset/base/262309
>
> Log:
> Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading
> to use-after-free.
>
> fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but
> kern_proc_{o,}filedesc_out only checked for hold count.
Can you describe the race in more detail? The kern_* routines hold
FILEDESC_SLOCK() while they read the file which should prevent
fdescfree() from free'ing any files. Note that fdfree() (called
under FILEDESC_XLOCK() clears the file pointer to NULL via the
bzero(), so the sysctl handler should only see non-NULL pointers
for files that are not yet free'd.
--
John Baldwin
More information about the svn-src-all
mailing list