svn commit: r262309 - head/sys/kern
Mateusz Guzik
mjguzik at gmail.com
Wed Feb 26 19:23:55 UTC 2014
On Tue, Feb 25, 2014 at 01:08:43PM -0500, John Baldwin wrote:
> On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote:
> > Author: mjg
> > Date: Fri Feb 21 22:29:09 2014
> > New Revision: 262309
> > URL: http://svnweb.freebsd.org/changeset/base/262309
> >
> > Log:
> > Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading
> > to use-after-free.
> >
> > fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but
> > kern_proc_{o,}filedesc_out only checked for hold count.
>
> Can you describe the race in more detail? The kern_* routines hold
> FILEDESC_SLOCK() while they read the file which should prevent
> fdescfree() from free'ing any files. Note that fdfree() (called
> under FILEDESC_XLOCK() clears the file pointer to NULL via the
> bzero(), so the sysctl handler should only see non-NULL pointers
> for files that are not yet free'd.
>
oops, you are right. I somehow misread the code.
Still, the change is harmless and matches other loop which iterates the
table (see sysctl_kern_file), so I think it can stay.
Other thing is that with that change in place we can get rid of
XLOCK/XUNLOCK around fdfree in fdescfree.
--
Mateusz Guzik <mjguzik gmail.com>
More information about the svn-src-all
mailing list