From owner-p4-projects@FreeBSD.ORG Mon Dec 4 18:12:49 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9574516A47E; Mon, 4 Dec 2006 18:12:49 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5C80C16A40F for ; Mon, 4 Dec 2006 18:12:49 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5F2043CA6 for ; Mon, 4 Dec 2006 18:12:14 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kB4ICmtW085637 for ; Mon, 4 Dec 2006 18:12:48 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kB4ICmtE085634 for perforce@freebsd.org; Mon, 4 Dec 2006 18:12:48 GMT (envelope-from millert@freebsd.org) Date: Mon, 4 Dec 2006 18:12:48 GMT Message-Id: <200612041812.kB4ICmtE085634@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 111037 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 18:12:49 -0000 http://perforce.freebsd.org/chv.cgi?CH=111037 Change 111037 by millert@millert_g5tower on 2006/12/04 18:12:30 Use fp_lookup()/fp_drop() in mac_{g,s}et_fd(). This prevents theoretical races and NULL dereferences. Add missing DTYPE constants to switch, in default section. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#24 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#24 (text+ko) ==== @@ -309,8 +309,6 @@ return; } -extern int fdgetf_noref(struct proc *, int, struct fileproc **); - static __inline void mac_policy_grab_exclusive(void) { @@ -1579,7 +1577,7 @@ AUDIT_ARG(mac_string, elements); MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = fdgetf_noref(p, uap->fd, &fp); + error = fp_lookup(p, uap->fd, &fp, 0); if (error) { FREE(buffer, M_MACTEMP); FREE(elements, M_MACTEMP); @@ -1588,6 +1586,7 @@ error = mac_file_check_get(p->p_ucred, fp, elements, mac.m_buflen); if (error) { + fp_drop(p, uap->fd, fp, 0); FREE(buffer, M_MACTEMP); FREE(elements, M_MACTEMP); return (error); @@ -1618,9 +1617,16 @@ } mac_vnode_label_free(intlabel); break; + case DTYPE_PSXSHM: + case DTYPE_PSXSEM: + case DTYPE_PIPE: + case DTYPE_KQUEUE: + case DTYPE_FSEVENTS: default: error = ENOSYS; // only sockets are handled so far + break; } + fp_drop(p, uap->fd, fp, 0); if (error == 0) error = copyout(buffer, CAST_USER_ADDR_T(mac.m_string), strlen(buffer)+1); @@ -1745,7 +1751,7 @@ } AUDIT_ARG(mac_string, buffer); - error = fdgetf_noref(p, uap->fd, &fp); + error = fp_lookup(p, uap->fd, &fp, 0); if (error) { FREE(buffer, M_MACTEMP); return (error); @@ -1753,6 +1759,7 @@ error = mac_file_check_set(p->p_ucred, fp, buffer, mac.m_buflen); if (error) { + fp_drop(p, uap->fd, fp, 0); FREE(buffer, M_MACTEMP); return (error); } @@ -1790,10 +1797,17 @@ mac_vnode_label_free(intlabel); break; + case DTYPE_PSXSHM: + case DTYPE_PSXSEM: + case DTYPE_PIPE: + case DTYPE_KQUEUE: + case DTYPE_FSEVENTS: default: error = ENOSYS; // only sockets are handled at this point + break; } + fp_drop(p, uap->fd, fp, 0); FREE(buffer, M_MACTEMP); return (error); }