From owner-freebsd-fs@freebsd.org  Wed Jul  8 22:07:19 2015
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 63B6F996515
 for <freebsd-fs@mailman.ysv.freebsd.org>; Wed,  8 Jul 2015 22:07:19 +0000 (UTC)
 (envelope-from mjguzik@gmail.com)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com
 [IPv6:2a00:1450:400c:c00::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id F20F3308A;
 Wed,  8 Jul 2015 22:07:18 +0000 (UTC)
 (envelope-from mjguzik@gmail.com)
Received: by wgov12 with SMTP id v12so23027652wgo.1;
 Wed, 08 Jul 2015 15:07:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=vVh5qwdnhdbrklFRsIxSAWyra/kw/uYJn6cJi0fxIqA=;
 b=sNLqDpWqF6QTpytS81+xazo3aBfQBLQPwSCOi4jTTEAT71RH7Wmy++/Y1Wg/2bQYo9
 x3nhZgITngAW6MHGZdWIpa2hkvemFm8pomzEkYLYgX1Oo3xbjdtgXsKs/W/62B1xMAr4
 15WkZ8hUJ8bxEzDm5D+qOtH4baDaMCrRCDxxealmP83scliZO4KuNilwmBD0QqQ4BuY+
 JAVki2k/UqXu4jkoxOJuDvs9rT9qphsAmYENBLwkQmS8tHaWSV0YiwbhsC0ehDJOmHOZ
 KKcwsvpNtX5KRl0trFH4LLiBdCSvxIcHlpwhJYh0KPvidxZv3TyzVveTix9S4UISXTIX
 /sNA==
X-Received: by 10.194.220.100 with SMTP id pv4mr25141887wjc.71.1436393237190; 
 Wed, 08 Jul 2015 15:07:17 -0700 (PDT)
Received: from localhost.localdomain (ip-89-102-11-63.net.upcbroadband.cz.
 [89.102.11.63])
 by smtp.gmail.com with ESMTPSA id fo17sm5483921wjc.46.2015.07.08.15.07.15
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 08 Jul 2015 15:07:16 -0700 (PDT)
From: Mateusz Guzik <mjguzik@gmail.com>
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: rwatson@FreeBSD.org, freebsd-fs@freebsd.org,
 Mateusz Guzik <mjg@freebsd.org>
Subject: [PATCH 1/4] vfs: plug a use-after-free of fd_rdir in namei
Date: Thu,  9 Jul 2015 00:07:08 +0200
Message-Id: <1436393231-5831-2-git-send-email-mjguzik@gmail.com>
X-Mailer: git-send-email 2.4.3
In-Reply-To: <1436393231-5831-1-git-send-email-mjguzik@gmail.com>
References: <20150707085857.GZ2080@kib.kiev.ua>
 <1436393231-5831-1-git-send-email-mjguzik@gmail.com>
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 22:07:19 -0000

From: Mateusz Guzik <mjg@freebsd.org>

fd_rdir vnode was stored in ni_rootdir without refing it in any way,
after which the filedsc lock was being dropped.

The vnode could have been freed by mountcheckdirs or another thread doing
chroot.

VREF the vnode while the lock is held.

MFC after:	1 week
---
 sys/kern/vfs_lookup.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c
index 5dc07dc..20f8e96 100644
--- a/sys/kern/vfs_lookup.c
+++ b/sys/kern/vfs_lookup.c
@@ -210,6 +210,7 @@ namei(struct nameidata *ndp)
 	 */
 	FILEDESC_SLOCK(fdp);
 	ndp->ni_rootdir = fdp->fd_rdir;
+	VREF(ndp->ni_rootdir);
 	ndp->ni_topdir = fdp->fd_jdir;
 
 	/*
@@ -260,6 +261,7 @@ namei(struct nameidata *ndp)
 			}
 		}
 		if (error) {
+			vrele(ndp->ni_rootdir);
 			namei_cleanup_cnp(cnp);
 			return (error);
 		}
@@ -286,6 +288,7 @@ namei(struct nameidata *ndp)
 				if (KTRPOINT(curthread, KTR_CAPFAIL))
 					ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
 #endif
+				vrele(ndp->ni_rootdir);
 				namei_cleanup_cnp(cnp);
 				return (ENOTCAPABLE);
 			}
@@ -299,6 +302,7 @@ namei(struct nameidata *ndp)
 		ndp->ni_startdir = dp;
 		error = lookup(ndp);
 		if (error) {
+			vrele(ndp->ni_rootdir);
 			namei_cleanup_cnp(cnp);
 			SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0,
 			    0, 0);
@@ -308,6 +312,7 @@ namei(struct nameidata *ndp)
 		 * If not a symbolic link, we're done.
 		 */
 		if ((cnp->cn_flags & ISSYMLINK) == 0) {
+			vrele(ndp->ni_rootdir);
 			if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
 				namei_cleanup_cnp(cnp);
 			} else
@@ -371,6 +376,7 @@ namei(struct nameidata *ndp)
 		vput(ndp->ni_vp);
 		dp = ndp->ni_dvp;
 	}
+	vrele(ndp->ni_rootdir);
 	namei_cleanup_cnp(cnp);
 	vput(ndp->ni_vp);
 	ndp->ni_vp = NULL;
-- 
2.4.5