Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 May 2012 19:43:21 +0000 (UTC)
From:      Edward Tomasz Napierala <trasz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r235803 - head/sys/kern
Message-ID:  <201205221943.q4MJhLDV023640@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: trasz
Date: Tue May 22 19:43:20 2012
New Revision: 235803
URL: http://svn.freebsd.org/changeset/base/235803

Log:
  Fix use-after-free in kern_jail_set() triggered e.g. by attempts
  to clear "persist" flag from empty persistent jail, like this:
  
  jail -c persist=1
  jail -n 1 -m persist=0
  
  Submitted by:	Mateusz Guzik <mjguzik at gmail dot com>
  MFC after:	2 weeks

Modified:
  head/sys/kern/kern_jail.c

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c	Tue May 22 19:40:54 2012	(r235802)
+++ head/sys/kern/kern_jail.c	Tue May 22 19:43:20 2012	(r235803)
@@ -1811,6 +1811,16 @@ kern_jail_set(struct thread *td, struct 
 		}
 	}
 
+#ifdef RACCT
+	if (!created) {
+		sx_sunlock(&allprison_lock);
+		prison_racct_modify(pr);
+		sx_slock(&allprison_lock);
+	}
+#endif
+
+	td->td_retval[0] = pr->pr_id;
+
 	/*
 	 * Now that it is all there, drop the temporary reference from existing
 	 * prisons.  Or add a reference to newly created persistent prisons
@@ -1832,12 +1842,6 @@ kern_jail_set(struct thread *td, struct 
 			sx_sunlock(&allprison_lock);
 	}
 
-#ifdef RACCT
-	if (!created)
-		prison_racct_modify(pr);
-#endif
-
-	td->td_retval[0] = pr->pr_id;
 	goto done_errmsg;
 
  done_deref_locked:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201205221943.q4MJhLDV023640>