Date: Mon, 14 Jul 2014 08:45:29 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r268608 - head/sys/fs/tmpfs Message-ID: <201407140845.s6E8jTK3033265@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Mon Jul 14 08:45:29 2014 New Revision: 268608 URL: http://svnweb.freebsd.org/changeset/base/268608 Log: The tmpfs_link() must not dereference the filesystem-specific data for a vnode until it is verified that the vnode indeed belongs to tmpfs mount. Otherwise, it might access random memory, at least in the debug kernel. Reported and tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Modified: head/sys/fs/tmpfs/tmpfs_vnops.c Modified: head/sys/fs/tmpfs/tmpfs_vnops.c ============================================================================== --- head/sys/fs/tmpfs/tmpfs_vnops.c Mon Jul 14 08:41:13 2014 (r268607) +++ head/sys/fs/tmpfs/tmpfs_vnops.c Mon Jul 14 08:45:29 2014 (r268608) @@ -570,8 +570,6 @@ tmpfs_link(struct vop_link_args *v) MPASS(cnp->cn_flags & HASBUF); MPASS(dvp != vp); /* XXX When can this be false? */ - node = VP_TO_TMPFS_NODE(vp); - /* XXX: Why aren't the following two tests done by the caller? */ /* Hard links of directories are forbidden. */ @@ -586,6 +584,8 @@ tmpfs_link(struct vop_link_args *v) goto out; } + node = VP_TO_TMPFS_NODE(vp); + /* Ensure that we do not overflow the maximum number of links imposed * by the system. */ MPASS(node->tn_links <= LINK_MAX);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407140845.s6E8jTK3033265>