From nobody Thu Apr  3 19:32:02 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTBh35DpLz5sLqT;
	Thu, 03 Apr 2025 19:32:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTBh26hYgz3SFL;
	Thu, 03 Apr 2025 19:32:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1743708722;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=W8YW+2fddAPgGj2VwWxWxESa3KO8MdIRAaZSRKSEtQE=;
	b=K/ivd1OOADrckDcItAccckZDfzIl8ZkTrELJhtX7ioJE5XIph3S9IW3sMqUEolkJGIiMpK
	5bQizIdD3SQMAOgQQKF3l/ADau4aszqCOxSD7zdL0SP5PC7LKdaHmUKZvLf6221Lb/3oTi
	tojcGP4OY+W6zqhEqUPzJxFM9NTQBLOOpp14QiVn3mvVaekgPKn5oOwPaJOEuFx2GEH34H
	MnsNOu075tj8277DjxV5v11sijEMh00KOL76d6L2KPfje+LIvb48tOD+E+613CgY//7WbG
	eXSh6xvpgSUtFld4tsJJNsqU081tg5kbUtYlO1CTSljHPJjfXBJ4h3tA5m0F6w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1743708722; a=rsa-sha256; cv=none;
	b=ZlUJHk0Wms2BlUueIHOzQrwm43NxbvdwG11dq1qRrxCh/ZVLM+mMvfgPtnDi5z1VkSDLpD
	SiNFrPD/+nkVQefNkzcIszb91kGainWbId48L3oHRW+h7qbl5Y6cxnl+lVSs0rSzPA1vVW
	OewiM0UwAjZVvg5ePN3dxyp2A1q3TX6TwCyJ65wUAiDKfcnhLv0PjlBP625etIK/NNnnMM
	XU6BrROxOV5qmMgk4AHgH8QnbGjjiv+HVAiiCRW56tdVEAXXN0etYL9lGXDWjmadzyxTnd
	3XFIRM+TS4km/7WIfE5Ke7zbWGzUKMIvvXIVwfejInEReSI9R0hX2BVVJ7ANpQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1743708722;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=W8YW+2fddAPgGj2VwWxWxESa3KO8MdIRAaZSRKSEtQE=;
	b=SPrWwTPZL8NIi9PJuhrm9nigYRSYWWAdmCnEOl87xpi0RV1qRussgZz6dP6Hb1qtCVt2mk
	OlZpCObYTCAOGRd5aHbNTJVxJfR3PUnoJ6V0gUEYpL8aZ//RZeOTSa3IiqrWWMahDokXCw
	xkqik616yyzO5wSFkwGGRSaMZeBCVGrgGX8qqFH5WYQXIjw9nEMr/9XJexXDTsucWIqIYM
	fNlYQxVbrubDwRg9srdqYkLw8bimXeBLM5Tx9jhvoSlf6CwY2dHU12nZq1QmiznkLZvBJg
	JjYkSzIQP9BfSEdh8QYqPikQQfSeuD4myvhi8J0SmL9uRSwvXiCyecyaSra3/Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZTBh26F2NzWW;
	Thu, 03 Apr 2025 19:32:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 533JW2ZB037392;
	Thu, 3 Apr 2025 19:32:02 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 533JW2aq037389;
	Thu, 3 Apr 2025 19:32:02 GMT
	(envelope-from git)
Date: Thu, 3 Apr 2025 19:32:02 GMT
Message-Id: <202504031932.533JW2aq037389@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Olivier Certner <olce@FreeBSD.org>
Subject: git: 4d2b20daf4d4 - stable/14 - MAC/do: sysctl_rules():
  Always copy the rules specification string
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: olce
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 4d2b20daf4d416a0d748f9ec27cfa112caafa7e1
Auto-Submitted: auto-generated

The branch stable/14 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=4d2b20daf4d416a0d748f9ec27cfa112caafa7e1

commit 4d2b20daf4d416a0d748f9ec27cfa112caafa7e1
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-07-03 12:52:38 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-04-03 19:30:58 +0000

    MAC/do: sysctl_rules(): Always copy the rules specification string
    
    We are not guaranteed that the 'rules' storage stays stable if we don't
    hold the prison lock.  For this reason, always copy the specification
    string (under the lock).
    
    Reviewed by:    bapt
    Approved by:    markj (mentor)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D47600
    
    (cherry picked from commit 292c814931d975d56d5ffa7c3c85191d56a059c4)
---
 sys/security/mac_do/mac_do.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index ed4c984ff559..94fe7b99fc9d 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -309,30 +309,22 @@ parse_and_set_rules(struct prison *const pr, const char *rules_string)
 static int
 sysctl_rules(SYSCTL_HANDLER_ARGS)
 {
-	char *new_string;
+	char *const buf = malloc(MAC_RULE_STRING_LEN, M_DO, M_WAITOK);
 	struct prison *pr;
 	struct rules *rules;
 	int error;
 
 	rules = find_rules(req->td->td_ucred->cr_prison, &pr);
+	strlcpy(buf, rules->string, MAC_RULE_STRING_LEN);
 	prison_unlock(pr);
-	if (req->newptr == NULL)
-		return (sysctl_handle_string(oidp, rules->string, MAC_RULE_STRING_LEN, req));
 
-	new_string = malloc(MAC_RULE_STRING_LEN, M_DO,
-	    M_WAITOK|M_ZERO);
-	prison_lock(pr);
-	strlcpy(new_string, rules->string, MAC_RULE_STRING_LEN);
-	prison_unlock(pr);
-
-	error = sysctl_handle_string(oidp, new_string, MAC_RULE_STRING_LEN, req);
-	if (error)
+	error = sysctl_handle_string(oidp, buf, MAC_RULE_STRING_LEN, req);
+	if (error != 0 || req->newptr == NULL)
 		goto out;
 
-	error = parse_and_set_rules(pr, new_string);
-
+	error = parse_and_set_rules(pr, buf);
 out:
-	free(new_string, M_DO);
+	free(buf, M_DO);
 	return (error);
 }