diff options
author | glebius <glebius@FreeBSD.org> | 2016-01-14 10:16:25 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2016-01-14 10:16:25 +0000 |
commit | 796cbcc7388ed25b7353bd9266556844d1f346b7 (patch) | |
tree | 6673dc280aed0d93302ee0dd4aaf8da05c536c44 /sys/compat | |
parent | f65cb2db641567983c348e31026d5e1199fe3fdb (diff) | |
download | FreeBSD-src-796cbcc7388ed25b7353bd9266556844d1f346b7.zip FreeBSD-src-796cbcc7388ed25b7353bd9266556844d1f346b7.tar.gz |
Call crextend() before copying old credentials to the new credentials
and replace crcopysafe by crcopy as crcopysafe is is not intended to be
safe in a threaded environment, it drops PROC_LOCK() in while() that
can lead to unexpected results, such as overwrite kernel memory.
In my POV crcopysafe() needs special attention. For now I do not see
any problems with this function, but who knows.
Submitted by: dchagin
Found by: trinity
Security: SA-16:04.linux
Diffstat (limited to 'sys/compat')
-rw-r--r-- | sys/compat/linux/linux_misc.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index de91869..fe4dbf6 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -1304,9 +1304,11 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args) if (error) goto out; newcred = crget(); + crextend(newcred, ngrp + 1); p = td->td_proc; PROC_LOCK(p); - oldcred = crcopysafe(p, newcred); + oldcred = p->p_ucred; + crcopy(newcred, oldcred); /* * cr_groups[0] holds egid. Setting the whole set from |