Date: Mon, 4 Dec 2006 18:12:48 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 111037 for review Message-ID: <200612041812.kB4ICmtE085634@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=111037 Change 111037 by millert@millert_g5tower on 2006/12/04 18:12:30 Use fp_lookup()/fp_drop() in mac_{g,s}et_fd(). This prevents theoretical races and NULL dereferences. Add missing DTYPE constants to switch, in default section. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#24 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#24 (text+ko) ==== @@ -309,8 +309,6 @@ return; } -extern int fdgetf_noref(struct proc *, int, struct fileproc **); - static __inline void mac_policy_grab_exclusive(void) { @@ -1579,7 +1577,7 @@ AUDIT_ARG(mac_string, elements); MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = fdgetf_noref(p, uap->fd, &fp); + error = fp_lookup(p, uap->fd, &fp, 0); if (error) { FREE(buffer, M_MACTEMP); FREE(elements, M_MACTEMP); @@ -1588,6 +1586,7 @@ error = mac_file_check_get(p->p_ucred, fp, elements, mac.m_buflen); if (error) { + fp_drop(p, uap->fd, fp, 0); FREE(buffer, M_MACTEMP); FREE(elements, M_MACTEMP); return (error); @@ -1618,9 +1617,16 @@ } mac_vnode_label_free(intlabel); break; + case DTYPE_PSXSHM: + case DTYPE_PSXSEM: + case DTYPE_PIPE: + case DTYPE_KQUEUE: + case DTYPE_FSEVENTS: default: error = ENOSYS; // only sockets are handled so far + break; } + fp_drop(p, uap->fd, fp, 0); if (error == 0) error = copyout(buffer, CAST_USER_ADDR_T(mac.m_string), strlen(buffer)+1); @@ -1745,7 +1751,7 @@ } AUDIT_ARG(mac_string, buffer); - error = fdgetf_noref(p, uap->fd, &fp); + error = fp_lookup(p, uap->fd, &fp, 0); if (error) { FREE(buffer, M_MACTEMP); return (error); @@ -1753,6 +1759,7 @@ error = mac_file_check_set(p->p_ucred, fp, buffer, mac.m_buflen); if (error) { + fp_drop(p, uap->fd, fp, 0); FREE(buffer, M_MACTEMP); return (error); } @@ -1790,10 +1797,17 @@ mac_vnode_label_free(intlabel); break; + case DTYPE_PSXSHM: + case DTYPE_PSXSEM: + case DTYPE_PIPE: + case DTYPE_KQUEUE: + case DTYPE_FSEVENTS: default: error = ENOSYS; // only sockets are handled at this point + break; } + fp_drop(p, uap->fd, fp, 0); FREE(buffer, M_MACTEMP); return (error); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612041812.kB4ICmtE085634>