Date: Thu, 14 Jan 2016 10:16:25 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r293909 - in head/sys: compat/linux kern sys Message-ID: <201601141016.u0EAGP8v040542@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Thu Jan 14 10:16:25 2016 New Revision: 293909 URL: https://svnweb.freebsd.org/changeset/base/293909 Log: Call crextend() before copying old credentials to the new credentials and replace crcopysafe by crcopy as crcopysafe is is not intended to be safe in a threaded environment, it drops PROC_LOCK() in while() that can lead to unexpected results, such as overwrite kernel memory. In my POV crcopysafe() needs special attention. For now I do not see any problems with this function, but who knows. Submitted by: dchagin Found by: trinity Security: SA-16:04.linux Modified: head/sys/compat/linux/linux_misc.c head/sys/kern/kern_prot.c head/sys/sys/ucred.h Modified: head/sys/compat/linux/linux_misc.c ============================================================================== --- head/sys/compat/linux/linux_misc.c Thu Jan 14 10:15:21 2016 (r293908) +++ head/sys/compat/linux/linux_misc.c Thu Jan 14 10:16:25 2016 (r293909) @@ -1304,9 +1304,11 @@ linux_setgroups(struct thread *td, struc if (error) goto out; newcred = crget(); + crextend(newcred, ngrp + 1); p = td->td_proc; PROC_LOCK(p); - oldcred = crcopysafe(p, newcred); + oldcred = p->p_ucred; + crcopy(newcred, oldcred); /* * cr_groups[0] holds egid. Setting the whole set from Modified: head/sys/kern/kern_prot.c ============================================================================== --- head/sys/kern/kern_prot.c Thu Jan 14 10:15:21 2016 (r293908) +++ head/sys/kern/kern_prot.c Thu Jan 14 10:16:25 2016 (r293909) @@ -88,7 +88,6 @@ static MALLOC_DEFINE(M_CRED, "cred", "cr SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); -static void crextend(struct ucred *cr, int n); static void crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups); @@ -1997,7 +1996,7 @@ crcopysafe(struct proc *p, struct ucred /* * Extend the passed in credential to hold n items. */ -static void +void crextend(struct ucred *cr, int n) { int cnt; Modified: head/sys/sys/ucred.h ============================================================================== --- head/sys/sys/ucred.h Thu Jan 14 10:15:21 2016 (r293908) +++ head/sys/sys/ucred.h Thu Jan 14 10:16:25 2016 (r293909) @@ -105,6 +105,7 @@ void change_svuid(struct ucred *newcred, void crcopy(struct ucred *dest, struct ucred *src); struct ucred *crcopysafe(struct proc *p, struct ucred *cr); struct ucred *crdup(struct ucred *cr); +void crextend(struct ucred *cr, int n); void proc_set_cred_init(struct proc *p, struct ucred *cr); struct ucred *proc_set_cred(struct proc *p, struct ucred *cr); void crfree(struct ucred *cr);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601141016.u0EAGP8v040542>