From owner-svn-src-all@FreeBSD.ORG Thu Sep 4 01:21:33 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DFD2A6BC; Thu, 4 Sep 2014 01:21:33 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CBD4A13CD; Thu, 4 Sep 2014 01:21:33 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s841LXMS088087; Thu, 4 Sep 2014 01:21:33 GMT (envelope-from mjg@FreeBSD.org) Received: (from mjg@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s841LXRq088086; Thu, 4 Sep 2014 01:21:33 GMT (envelope-from mjg@FreeBSD.org) Message-Id: <201409040121.s841LXRq088086@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mjg set sender to mjg@FreeBSD.org using -f From: Mateusz Guzik Date: Thu, 4 Sep 2014 01:21:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r271074 - head/sys/kern X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2014 01:21:34 -0000 Author: mjg Date: Thu Sep 4 01:21:33 2014 New Revision: 271074 URL: http://svnweb.freebsd.org/changeset/base/271074 Log: Plug a hypothetical use after free in sysctl kern.proc.groups. MFC after: 1 week Modified: head/sys/kern/kern_proc.c Modified: head/sys/kern/kern_proc.c ============================================================================== --- head/sys/kern/kern_proc.c Thu Sep 4 01:04:37 2014 (r271073) +++ head/sys/kern/kern_proc.c Thu Sep 4 01:21:33 2014 (r271074) @@ -2508,6 +2508,7 @@ sysctl_kern_proc_groups(SYSCTL_HANDLER_A return (EINVAL); if (*pidp == -1) { /* -1 means this process */ p = req->td->td_proc; + PROC_LOCK(p); } else { error = pget(*pidp, PGET_CANSEE, &p); if (error != 0) @@ -2515,8 +2516,7 @@ sysctl_kern_proc_groups(SYSCTL_HANDLER_A } cred = crhold(p->p_ucred); - if (*pidp != -1) - PROC_UNLOCK(p); + PROC_UNLOCK(p); error = SYSCTL_OUT(req, cred->cr_groups, cred->cr_ngroups * sizeof(gid_t));