From owner-svn-src-all@freebsd.org  Tue Jan 23 02:16:07 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D74C2EC3137;
 Tue, 23 Jan 2018 02:16:07 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B350B7B8DC;
 Tue, 23 Jan 2018 02:16:07 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0851022B76;
 Tue, 23 Jan 2018 02:16:07 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0N2G6vH077538;
 Tue, 23 Jan 2018 02:16:06 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0N2G6Yb077537;
 Tue, 23 Jan 2018 02:16:06 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201801230216.w0N2G6Yb077537@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Tue, 23 Jan 2018 02:16:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r328267 - stable/10/sys/dev/nand
X-SVN-Group: stable-10
X-SVN-Commit-Author: emaste
X-SVN-Commit-Paths: stable/10/sys/dev/nand
X-SVN-Commit-Revision: 328267
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 02:16:08 -0000

Author: emaste
Date: Tue Jan 23 02:16:06 2018
New Revision: 328267
URL: https://svnweb.freebsd.org/changeset/base/328267

Log:
  MFC r317806 by glebius:
  
  The nandsim(4) simulator driver doesn't have any protection against
  races at least in its ioctl handler, and at the same time it creates
  device entry with 0666 permissions.
  
  To plug possible issues in it:
  - Mark it as needing Giant.
  - Switch device mode to 0600.
  
  Submitted by:	C Turt
  Reviewed by:	imp
  Security:	Possible double free in ioctl handler

Modified:
  stable/10/sys/dev/nand/nandsim.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/nand/nandsim.c
==============================================================================
--- stable/10/sys/dev/nand/nandsim.c	Mon Jan 22 21:45:54 2018	(r328266)
+++ stable/10/sys/dev/nand/nandsim.c	Tue Jan 23 02:16:06 2018	(r328267)
@@ -71,6 +71,7 @@ static struct nandsim_chip *get_nandsim_chip(uint8_t, 
 
 static struct cdevsw nandsim_cdevsw = {
 	.d_version =    D_VERSION,
+	.d_flags =	D_NEEDGIANT,
 	.d_ioctl =      nandsim_ioctl,
 	.d_name =       "nandsim",
 };
@@ -639,7 +640,7 @@ nandsim_modevent(module_t mod __unused, int type, void
 	switch (type) {
 	case MOD_LOAD:
 		nandsim_dev = make_dev(&nandsim_cdevsw, 0,
-		    UID_ROOT, GID_WHEEL, 0666, "nandsim.ioctl");
+		    UID_ROOT, GID_WHEEL, 0600, "nandsim.ioctl");
 		break;
 	case MOD_UNLOAD:
 		for (i = 0; i < MAX_SIM_DEV; i++) {