svn commit: r262458 - stable/10/sys/kern
Mateusz Guzik
mjg at FreeBSD.org
Mon Feb 24 21:03:38 UTC 2014
Author: mjg
Date: Mon Feb 24 21:03:38 2014
New Revision: 262458
URL: http://svnweb.freebsd.org/changeset/base/262458
Log:
MFC r262309:
Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading
to use-after-free.
fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but
kern_proc_{o,}filedesc_out only checked for hold count.
Modified:
stable/10/sys/kern/kern_descrip.c
Modified: stable/10/sys/kern/kern_descrip.c
==============================================================================
--- stable/10/sys/kern/kern_descrip.c Mon Feb 24 20:29:39 2014 (r262457)
+++ stable/10/sys/kern/kern_descrip.c Mon Feb 24 21:03:38 2014 (r262458)
@@ -3052,7 +3052,7 @@ sysctl_kern_proc_ofiledesc(SYSCTL_HANDLE
if (fdp->fd_jdir != NULL)
export_vnode_for_osysctl(fdp->fd_jdir, KF_FD_TYPE_JAIL, kif,
fdp, req);
- for (i = 0; i < fdp->fd_nfiles; i++) {
+ for (i = 0; fdp->fd_refcnt > 0 && i < fdp->fd_nfiles; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
bzero(kif, sizeof(*kif));
@@ -3422,7 +3422,7 @@ kern_proc_filedesc_out(struct proc *p,
export_fd_to_sb(data, KF_TYPE_VNODE, KF_FD_TYPE_JAIL,
FREAD, -1, -1, NULL, efbuf);
}
- for (i = 0; i < fdp->fd_nfiles; i++) {
+ for (i = 0; fdp->fd_refcnt > 0 && i < fdp->fd_nfiles; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
data = NULL;
More information about the svn-src-stable
mailing list