From owner-svn-src-head@freebsd.org Thu May 4 20:42:33 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C668D5E675; Thu, 4 May 2017 20:42:33 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED14B1BEB; Thu, 4 May 2017 20:42:32 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v44KgVxh056210; Thu, 4 May 2017 20:42:31 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v44KgV0u056209; Thu, 4 May 2017 20:42:31 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201705042042.v44KgV0u056209@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Thu, 4 May 2017 20:42:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r317806 - head/sys/dev/nand X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2017 20:42:33 -0000 Author: glebius Date: Thu May 4 20:42:31 2017 New Revision: 317806 URL: https://svnweb.freebsd.org/changeset/base/317806 Log: The nandsim(4) simulator driver doesn't have any protection against races at least in its ioctl handler, and at the same time it creates device entry with 0666 permissions. To plug possible issues in it: - Mark it as needing Giant. - Switch device mode to 0600. Submitted by: C Turt Reviewed by: imp MFC after: 1 week Security: Possible double free in ioctl handler Modified: head/sys/dev/nand/nandsim.c Modified: head/sys/dev/nand/nandsim.c ============================================================================== --- head/sys/dev/nand/nandsim.c Thu May 4 19:55:32 2017 (r317805) +++ head/sys/dev/nand/nandsim.c Thu May 4 20:42:31 2017 (r317806) @@ -71,6 +71,7 @@ static struct nandsim_chip *get_nandsim_ static struct cdevsw nandsim_cdevsw = { .d_version = D_VERSION, + .d_flags = D_NEEDGIANT, .d_ioctl = nandsim_ioctl, .d_name = "nandsim", }; @@ -639,7 +640,7 @@ nandsim_modevent(module_t mod __unused, switch (type) { case MOD_LOAD: nandsim_dev = make_dev(&nandsim_cdevsw, 0, - UID_ROOT, GID_WHEEL, 0666, "nandsim.ioctl"); + UID_ROOT, GID_WHEEL, 0600, "nandsim.ioctl"); break; case MOD_UNLOAD: for (i = 0; i < MAX_SIM_DEV; i++) {