From owner-svn-src-stable@freebsd.org Thu Jun 8 22:13:30 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4BDB3D851EE; Thu, 8 Jun 2017 22:13:30 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 197857427B; Thu, 8 Jun 2017 22:13:30 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v58MDT9Z015930; Thu, 8 Jun 2017 22:13:29 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v58MDTTd015929; Thu, 8 Jun 2017 22:13:29 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201706082213.v58MDTTd015929@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Thu, 8 Jun 2017 22:13:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r319727 - stable/11/sys/dev/nand X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2017 22:13:30 -0000 Author: glebius Date: Thu Jun 8 22:13:29 2017 New Revision: 319727 URL: https://svnweb.freebsd.org/changeset/base/319727 Log: MFC r317806: The nandsim(4) simulator driver doesn't have any protection against races at least in its ioctl handler, and at the same time it creates device entry with 0666 permissions. To plug possible issues in it: - Mark it as needing Giant. - Switch device mode to 0600. Submitted by: C Turt Reviewed by: imp Security: Possible double free in ioctl handler Approved by: re (marius) Modified: stable/11/sys/dev/nand/nandsim.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/nand/nandsim.c ============================================================================== --- stable/11/sys/dev/nand/nandsim.c Thu Jun 8 22:12:10 2017 (r319726) +++ stable/11/sys/dev/nand/nandsim.c Thu Jun 8 22:13:29 2017 (r319727) @@ -71,6 +71,7 @@ static struct nandsim_chip *get_nandsim_chip(uint8_t, static struct cdevsw nandsim_cdevsw = { .d_version = D_VERSION, + .d_flags = D_NEEDGIANT, .d_ioctl = nandsim_ioctl, .d_name = "nandsim", }; @@ -639,7 +640,7 @@ nandsim_modevent(module_t mod __unused, int type, void switch (type) { case MOD_LOAD: nandsim_dev = make_dev(&nandsim_cdevsw, 0, - UID_ROOT, GID_WHEEL, 0666, "nandsim.ioctl"); + UID_ROOT, GID_WHEEL, 0600, "nandsim.ioctl"); break; case MOD_UNLOAD: for (i = 0; i < MAX_SIM_DEV; i++) {