From owner-svn-src-head@freebsd.org Fri Feb 8 04:06:51 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA8C414D306C; Fri, 8 Feb 2019 04:06:51 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 797338BC6A; Fri, 8 Feb 2019 04:06:51 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D0E8CB418; Fri, 8 Feb 2019 04:06:48 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x1846mQP086193; Fri, 8 Feb 2019 04:06:48 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x1846mc5086192; Fri, 8 Feb 2019 04:06:48 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201902080406.x1846mc5086192@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Fri, 8 Feb 2019 04:06:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r343890 - head/sys/kern X-SVN-Group: head X-SVN-Commit-Author: kib X-SVN-Commit-Paths: head/sys/kern X-SVN-Commit-Revision: 343890 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 797338BC6A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.97)[-0.975,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 04:06:52 -0000 Author: kib Date: Fri Feb 8 04:06:48 2019 New Revision: 343890 URL: https://svnweb.freebsd.org/changeset/base/343890 Log: do_execve(): lock vnode when needed. Code after exec_fail_dealloc label expects that the image vnode is locked if present. When copyout() of the strings or auxv vectors fails, goto to the error handling did not relocked the vnode as required. The copyout() can be made failing e.g. by creating an ELF image with PT_GNU_STACK segment disabling the write. Reported by: Jonathan Stuart (found by fuzzing) Sponsored by: The FreeBSD Foundation MFC after: 3 days Modified: head/sys/kern/kern_exec.c Modified: head/sys/kern/kern_exec.c ============================================================================== --- head/sys/kern/kern_exec.c Fri Feb 8 03:31:38 2019 (r343889) +++ head/sys/kern/kern_exec.c Fri Feb 8 04:06:48 2019 (r343890) @@ -696,8 +696,10 @@ interpret: else error = suword(--stack_base, imgp->args->argc) == 0 ? 0 : EFAULT; - if (error != 0) + if (error != 0) { + vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto exec_fail_dealloc; + } if (args->fdp != NULL) { /* Install a brand new file descriptor table. */