svn commit: r267017 - in releng/10.0: . contrib/openpam/lib/libpam contrib/sendmail/src sys/conf sys/kern sys/sys sys/vm

Xin LI delphij at FreeBSD.org
Tue Jun 3 19:02:55 UTC 2014 

Author: delphij
Date: Tue Jun  3 19:02:52 2014
New Revision: 267017
URL: http://svnweb.freebsd.org/changeset/base/267017

Log:
  Fix sendmail improper close-on-exec flag handling. [SA-14:11]
  
  Fix incorrect error handling in PAM policy parser. [SA-14:13]
  
  Fix triple-fault when executing from a threaded process. [EN-14:06]
  
  Approved by:	so

Modified:
  releng/10.0/UPDATING
  releng/10.0/contrib/openpam/lib/libpam/openpam_configure.c
  releng/10.0/contrib/sendmail/src/conf.c
  releng/10.0/sys/conf/newvers.sh
  releng/10.0/sys/kern/kern_exec.c
  releng/10.0/sys/sys/proc.h
  releng/10.0/sys/vm/vm_map.c

Modified: releng/10.0/UPDATING
==============================================================================
--- releng/10.0/UPDATING	Tue Jun  3 19:02:42 2014	(r267016)
+++ releng/10.0/UPDATING	Tue Jun  3 19:02:52 2014	(r267017)
@@ -16,6 +16,17 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20140603:	p4	FreeBSD-SA-14:11.sendmail
+			FreeBSD-SA-14:13.pam
+			FreeBSD-EN-14:06.exec
+
+	Fix sendmail improper close-on-exec flag handling. [SA-14:11]
+
+	Fix incorrect error handling in PAM policy parser. [SA-14:13]
+
+	Fix triple-fault when executing from a threaded process.
+	[EN-14:06]
+
 20140513:	p3	FreeBSD-SA-14:10.openssl
 			FreeBSD-EN-14:05.ciss
 

Modified: releng/10.0/contrib/openpam/lib/libpam/openpam_configure.c
==============================================================================
--- releng/10.0/contrib/openpam/lib/libpam/openpam_configure.c	Tue Jun  3 19:02:42 2014	(r267016)
+++ releng/10.0/contrib/openpam/lib/libpam/openpam_configure.c	Tue Jun  3 19:02:52 2014	(r267017)
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2012 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2014 Dag-Erling Smørgrav
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -193,6 +193,7 @@ openpam_parse_chain(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid facility",
 			    filename, lineno);
+			errno = EINVAL;
 			goto fail;
 		}
 		if (facility != fclt && facility != PAM_FACILITY_ANY) {
@@ -208,18 +209,28 @@ openpam_parse_chain(pam_handle_t *pamh,
 				openpam_log(PAM_LOG_ERROR,
 				    "%s(%d): missing or invalid service name",
 				    filename, lineno);
+				errno = EINVAL;
 				goto fail;
 			}
 			if (wordv[i] != NULL) {
 				openpam_log(PAM_LOG_ERROR,
 				    "%s(%d): garbage at end of line",
 				    filename, lineno);
+				errno = EINVAL;
 				goto fail;
 			}
 			ret = openpam_load_chain(pamh, servicename, fclt);
 			FREEV(wordc, wordv);
-			if (ret < 0)
+			if (ret < 0) {
+				/*
+				 * Bogus errno, but this ensures that the
+				 * outer loop does not just ignore the
+				 * error and keep searching.
+				 */
+				if (errno == ENOENT)
+					errno = EINVAL;
 				goto fail;
+			}
 			continue;
 		}
 
@@ -229,6 +240,7 @@ openpam_parse_chain(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid control flag",
 			    filename, lineno);
+			errno = EINVAL;
 			goto fail;
 		}
 
@@ -238,6 +250,7 @@ openpam_parse_chain(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid module name",
 			    filename, lineno);
+			errno = EINVAL;
 			goto fail;
 		}
 
@@ -247,8 +260,11 @@ openpam_parse_chain(pam_handle_t *pamh,
 		this->flag = ctlf;
 
 		/* load module */
-		if ((this->module = openpam_load_module(modulename)) == NULL)
+		if ((this->module = openpam_load_module(modulename)) == NULL) {
+			if (errno == ENOENT)
+				errno = ENOEXEC;
 			goto fail;
+		}
 
 		/*
 		 * The remaining items in wordv are the module's
@@ -281,7 +297,11 @@ openpam_parse_chain(pam_handle_t *pamh,
 	 * The loop ended because openpam_readword() returned NULL, which
 	 * can happen for four different reasons: an I/O error (ferror(f)
 	 * is true), a memory allocation failure (ferror(f) is false,
-	 * errno is non-zero)
+	 * feof(f) is false, errno is non-zero), the file ended with an
+	 * unterminated quote or backslash escape (ferror(f) is false,
+	 * feof(f) is true, errno is non-zero), or the end of the file was
+	 * reached without error (ferror(f) is false, feof(f) is true,
+	 * errno is zero).
 	 */
 	if (ferror(f) || errno != 0)
 		goto syserr;
@@ -402,6 +422,9 @@ openpam_load_chain(pam_handle_t *pamh,
 		}
 		ret = openpam_load_file(pamh, service, facility,
 		    filename, style);
+		/* success */
+		if (ret > 0)
+			RETURNN(ret);
 		/* the file exists, but an error occurred */
 		if (ret == -1 && errno != ENOENT)
 			RETURNN(ret);
@@ -411,7 +434,8 @@ openpam_load_chain(pam_handle_t *pamh,
 	}
 
 	/* no hit */
-	RETURNN(0);
+	errno = ENOENT;
+	RETURNN(-1);
 }
 
 /*
@@ -432,8 +456,10 @@ openpam_configure(pam_handle_t *pamh,
 		openpam_log(PAM_LOG_ERROR, "invalid service name");
 		RETURNC(PAM_SYSTEM_ERR);
 	}
-	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
-		goto load_err;
+	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
+		if (errno != ENOENT)
+			goto load_err;
+	}
 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
 		if (pamh->chains[fclt] != NULL)
 			continue;

Modified: releng/10.0/contrib/sendmail/src/conf.c
==============================================================================
--- releng/10.0/contrib/sendmail/src/conf.c	Tue Jun  3 19:02:42 2014	(r267016)
+++ releng/10.0/contrib/sendmail/src/conf.c	Tue Jun  3 19:02:52 2014	(r267017)
@@ -5265,8 +5265,8 @@ closefd_walk(lowest, fd)
 */
 
 void
-sm_close_on_exec(highest, lowest)
-	int highest, lowest;
+sm_close_on_exec(lowest, highest)
+	int lowest, highest;
 {
 #if HASFDWALK
 	(void) fdwalk(closefd_walk, &lowest);

Modified: releng/10.0/sys/conf/newvers.sh
==============================================================================
--- releng/10.0/sys/conf/newvers.sh	Tue Jun  3 19:02:42 2014	(r267016)
+++ releng/10.0/sys/conf/newvers.sh	Tue Jun  3 19:02:52 2014	(r267017)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.0"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.0/sys/kern/kern_exec.c
==============================================================================
--- releng/10.0/sys/kern/kern_exec.c	Tue Jun  3 19:02:42 2014	(r267016)
+++ releng/10.0/sys/kern/kern_exec.c	Tue Jun  3 19:02:52 2014	(r267017)
@@ -283,6 +283,7 @@ kern_execve(td, args, mac_p)
 	struct mac *mac_p;
 {
 	struct proc *p = td->td_proc;
+	struct vmspace *oldvmspace;
 	int error;
 
 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -299,6 +300,8 @@ kern_execve(td, args, mac_p)
 		PROC_UNLOCK(p);
 	}
 
+	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+	oldvmspace = td->td_proc->p_vmspace;
 	error = do_execve(td, args, mac_p);
 
 	if (p->p_flag & P_HADTHREADS) {
@@ -313,6 +316,12 @@ kern_execve(td, args, mac_p)
 			thread_single_end();
 		PROC_UNLOCK(p);
 	}
+	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+		KASSERT(td->td_proc->p_vmspace != oldvmspace,
+		    ("oldvmspace still used"));
+		vmspace_free(oldvmspace);
+		td->td_pflags &= ~TDP_EXECVMSPC;
+	}
 
 	return (error);
 }

Modified: releng/10.0/sys/sys/proc.h
==============================================================================
--- releng/10.0/sys/sys/proc.h	Tue Jun  3 19:02:42 2014	(r267016)
+++ releng/10.0/sys/sys/proc.h	Tue Jun  3 19:02:52 2014	(r267017)
@@ -966,4 +966,5 @@ curthread_pflags_restore(int save)
 
 #endif	/* _KERNEL */
 
+#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
 #endif	/* !_SYS_PROC_H_ */

Modified: releng/10.0/sys/vm/vm_map.c
==============================================================================
--- releng/10.0/sys/vm/vm_map.c	Tue Jun  3 19:02:42 2014	(r267016)
+++ releng/10.0/sys/vm/vm_map.c	Tue Jun  3 19:02:52 2014	(r267017)
@@ -3725,6 +3725,8 @@ vmspace_exec(struct proc *p, vm_offset_t
 	struct vmspace *oldvmspace = p->p_vmspace;
 	struct vmspace *newvmspace;
 
+	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+	    ("vmspace_exec recursed"));
 	newvmspace = vmspace_alloc(minuser, maxuser, NULL);
 	if (newvmspace == NULL)
 		return (ENOMEM);
@@ -3741,7 +3743,7 @@ vmspace_exec(struct proc *p, vm_offset_t
 	PROC_VMSPACE_UNLOCK(p);
 	if (p == curthread->td_proc)
 		pmap_activate(curthread);
-	vmspace_free(oldvmspace);
+	curthread->td_pflags |= TDP_EXECVMSPC;
 	return (0);
 }

More information about the svn-src-releng mailing list