From owner-p4-projects@FreeBSD.ORG Tue Jun 16 19:33:23 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2E747106568E; Tue, 16 Jun 2009 19:33:23 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9210106568A for ; Tue, 16 Jun 2009 19:33:22 +0000 (UTC) (envelope-from trasz@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id AC5A98FC18 for ; Tue, 16 Jun 2009 19:33:22 +0000 (UTC) (envelope-from trasz@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n5GJXMdv074022 for ; Tue, 16 Jun 2009 19:33:22 GMT (envelope-from trasz@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n5GJXMpb074020 for perforce@freebsd.org; Tue, 16 Jun 2009 19:33:22 GMT (envelope-from trasz@freebsd.org) Date: Tue, 16 Jun 2009 19:33:22 GMT Message-Id: <200906161933.n5GJXMpb074020@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to trasz@freebsd.org using -f From: Edward Tomasz Napierala To: Perforce Change Reviews Cc: Subject: PERFORCE change 164527 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jun 2009 19:33:24 -0000 http://perforce.freebsd.org/chv.cgi?CH=164527 Change 164527 by trasz@trasz_victim on 2009/06/16 19:32:38 Plug a memory ('struct gidinfo') leak introduced in a previous commit and fix another LOR. Affected files ... .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_prot.c#8 edit Differences ... ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_prot.c#8 (text+ko) ==== @@ -733,6 +733,7 @@ fail: PROC_UNLOCK(p); + gifree(gip); crfree(newcred); return (error); } @@ -783,6 +784,7 @@ fail: PROC_UNLOCK(p); + gifree(egip); crfree(newcred); return (error); } @@ -813,12 +815,15 @@ { struct proc *p = td->td_proc; struct ucred *newcred, *oldcred; - int i, error; + struct gidinfo *gidinfos[NGROUPS], *oldgidinfos[NGROUPS]; + int i, error, oldngroups = 0; if (ngrp > NGROUPS) return (EINVAL); AUDIT_ARG(groupset, groups, ngrp); newcred = crget(); + for (i = 0; i < ngrp; i++) + gidinfos[i] = gifind(groups[i]); PROC_LOCK(p); oldcred = p->p_ucred; @@ -844,26 +849,39 @@ * have the egid in the groups[0]). We risk security holes * when running non-BSD software if we do not do the same. */ + oldngroups = newcred->cr_ngroups - 1; + for (i = 0; i < oldngroups; i++) + oldgidinfos[i] = newcred->cr_gidinfos[i + 1]; newcred->cr_ngroups = 1; - for (i = 1; i < newcred->cr_ngroups; i++) - gifree(newcred->cr_gidinfos[i]); } else { - for (i = 0; i < newcred->cr_ngroups; i++) - gifree(newcred->cr_gidinfos[i]); + oldngroups = newcred->cr_ngroups; + for (i = 0; i < oldngroups; i++) + oldgidinfos[i] = newcred->cr_gidinfos[i]; bcopy(groups, newcred->cr_groups, ngrp * sizeof(gid_t)); newcred->cr_ngroups = ngrp; for (i = 0; i < newcred->cr_ngroups; i++) - newcred->cr_gidinfos[i] = gifind(newcred->cr_groups[i]); + newcred->cr_gidinfos[i] = gidinfos[i]; } setsugid(p); p->p_ucred = newcred; PROC_UNLOCK(p); + for (i = 0; i < oldngroups; i++) + gifree(oldgidinfos[i]); + /* Don't free gidinfos[]. */ crfree(oldcred); + for (i = 0; i < newcred->cr_ngroups; i++) + KASSERT(newcred->cr_gidinfos[i]->gi_gid == newcred->cr_groups[i], ("Whoops.")); return (0); fail: PROC_UNLOCK(p); + for (i = 0; i < oldngroups; i++) + gifree(oldgidinfos[i]); + for (i = 0; i < ngrp; i++) + gifree(gidinfos[i]); crfree(newcred); + for (i = 0; i < newcred->cr_ngroups; i++) + KASSERT(newcred->cr_gidinfos[i]->gi_gid == newcred->cr_groups[i], ("Whoops.")); return (error); } @@ -995,6 +1013,7 @@ fail: PROC_UNLOCK(p); + gifree(egip); crfree(newcred); return (error); } @@ -1150,6 +1169,7 @@ fail: PROC_UNLOCK(p); + gifree(egip); crfree(newcred); return (error); }