Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Feb 2014 13:08:43 -0500
From:      John Baldwin <jhb@freebsd.org>
To:        Mateusz Guzik <mjg@freebsd.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r262309 - head/sys/kern
Message-ID:  <201402251308.43875.jhb@freebsd.org>
In-Reply-To: <201402212229.s1LMT9BF093587@svn.freebsd.org>
References:  <201402212229.s1LMT9BF093587@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote:
> Author: mjg
> Date: Fri Feb 21 22:29:09 2014
> New Revision: 262309
> URL: http://svnweb.freebsd.org/changeset/base/262309
> 
> Log:
>   Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading
>   to use-after-free.
>   
>   fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but
>   kern_proc_{o,}filedesc_out only checked for hold count.

Can you describe the race in more detail?  The kern_* routines hold
FILEDESC_SLOCK() while they read the file which should prevent
fdescfree() from free'ing any files.  Note that fdfree() (called
under FILEDESC_XLOCK() clears the file pointer to NULL via the
bzero(), so the sysctl handler should only see non-NULL pointers
for files that are not yet free'd.

-- 
John Baldwin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402251308.43875.jhb>