Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Dec 2006 18:12:48 GMT
From:      Todd Miller <millert@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 111037 for review
Message-ID:  <200612041812.kB4ICmtE085634@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=111037

Change 111037 by millert@millert_g5tower on 2006/12/04 18:12:30

	Use fp_lookup()/fp_drop() in mac_{g,s}et_fd().
	This prevents theoretical races and NULL dereferences.
	
	Add missing DTYPE constants to switch, in default section.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#24 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#24 (text+ko) ====

@@ -309,8 +309,6 @@
 	return;
 }
 
-extern int fdgetf_noref(struct proc *, int, struct fileproc **);
-
 static __inline void
 mac_policy_grab_exclusive(void)
 {
@@ -1579,7 +1577,7 @@
 	AUDIT_ARG(mac_string, elements);
 
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
-	error = fdgetf_noref(p, uap->fd, &fp);
+	error = fp_lookup(p, uap->fd, &fp, 0);
 	if (error) {
 		FREE(buffer, M_MACTEMP);
 		FREE(elements, M_MACTEMP);
@@ -1588,6 +1586,7 @@
 	
 	error = mac_file_check_get(p->p_ucred, fp, elements, mac.m_buflen);
 	if (error) {
+		fp_drop(p, uap->fd, fp, 0);
 		FREE(buffer, M_MACTEMP);
 		FREE(elements, M_MACTEMP);
 		return (error);
@@ -1618,9 +1617,16 @@
 			}
 			mac_vnode_label_free(intlabel);
 			break;
+		case DTYPE_PSXSHM:
+		case DTYPE_PSXSEM:
+		case DTYPE_PIPE:
+		case DTYPE_KQUEUE:
+		case DTYPE_FSEVENTS:
 		default:
 			error = ENOSYS;   // only sockets are handled so far
+			break;
 	}
+	fp_drop(p, uap->fd, fp, 0);
 	
 	if (error == 0)
 		error = copyout(buffer, CAST_USER_ADDR_T(mac.m_string), strlen(buffer)+1);
@@ -1745,7 +1751,7 @@
 	}
 	AUDIT_ARG(mac_string, buffer);
 	
-	error = fdgetf_noref(p, uap->fd, &fp);
+	error = fp_lookup(p, uap->fd, &fp, 0);
 	if (error) {
 		FREE(buffer, M_MACTEMP);
 		return (error);
@@ -1753,6 +1759,7 @@
 	
 	error = mac_file_check_set(p->p_ucred, fp, buffer, mac.m_buflen);
 	if (error) {
+		fp_drop(p, uap->fd, fp, 0);
 		FREE(buffer, M_MACTEMP);
 		return (error);
 	}
@@ -1790,10 +1797,17 @@
 
 			mac_vnode_label_free(intlabel);
 			break;
+		case DTYPE_PSXSHM:
+		case DTYPE_PSXSEM:
+		case DTYPE_PIPE:
+		case DTYPE_KQUEUE:
+		case DTYPE_FSEVENTS:
 		default:
 			error = ENOSYS;  // only sockets are handled at this point
+			break;
 	}
 	
+	fp_drop(p, uap->fd, fp, 0);
 	FREE(buffer, M_MACTEMP);
 	return (error);
 }



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612041812.kB4ICmtE085634>