svn commit: r343890 - head/sys/kern
Konstantin Belousov
kib at FreeBSD.org
Fri Feb 8 04:06:52 UTC 2019
Author: kib
Date: Fri Feb 8 04:06:48 2019
New Revision: 343890
URL: https://svnweb.freebsd.org/changeset/base/343890
Log:
do_execve(): lock vnode when needed.
Code after exec_fail_dealloc label expects that the image vnode is
locked if present. When copyout() of the strings or auxv vectors fails,
goto to the error handling did not relocked the vnode as required.
The copyout() can be made failing e.g. by creating an ELF image with
PT_GNU_STACK segment disabling the write.
Reported by: Jonathan Stuart <n0t.jcs at gmail.com> (found by fuzzing)
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Modified:
head/sys/kern/kern_exec.c
Modified: head/sys/kern/kern_exec.c
==============================================================================
--- head/sys/kern/kern_exec.c Fri Feb 8 03:31:38 2019 (r343889)
+++ head/sys/kern/kern_exec.c Fri Feb 8 04:06:48 2019 (r343890)
@@ -696,8 +696,10 @@ interpret:
else
error = suword(--stack_base, imgp->args->argc) == 0 ?
0 : EFAULT;
- if (error != 0)
+ if (error != 0) {
+ vn_lock(imgp->vp, LK_SHARED | LK_RETRY);
goto exec_fail_dealloc;
+ }
if (args->fdp != NULL) {
/* Install a brand new file descriptor table. */
More information about the svn-src-all
mailing list