summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_descrip.c
diff options
context:
space:
mode:
authormjg <mjg@FreeBSD.org>2014-02-24 21:03:38 +0000
committermjg <mjg@FreeBSD.org>2014-02-24 21:03:38 +0000
commit3948f93fc83c9323caf1f8d15a2737efcd9f4381 (patch)
treec484e863879801a1dff8f9da9ad34d4a4f264836 /sys/kern/kern_descrip.c
parent41269f347e424a7409ae651735c26436debf0cb3 (diff)
downloadFreeBSD-src-3948f93fc83c9323caf1f8d15a2737efcd9f4381.zip
FreeBSD-src-3948f93fc83c9323caf1f8d15a2737efcd9f4381.tar.gz
MFC r262309:
Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading to use-after-free. fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but kern_proc_{o,}filedesc_out only checked for hold count.
Diffstat (limited to 'sys/kern/kern_descrip.c')
-rw-r--r--sys/kern/kern_descrip.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index f4ffd55..2b37f8f 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -3052,7 +3052,7 @@ sysctl_kern_proc_ofiledesc(SYSCTL_HANDLER_ARGS)
if (fdp->fd_jdir != NULL)
export_vnode_for_osysctl(fdp->fd_jdir, KF_FD_TYPE_JAIL, kif,
fdp, req);
- for (i = 0; i < fdp->fd_nfiles; i++) {
+ for (i = 0; fdp->fd_refcnt > 0 && i < fdp->fd_nfiles; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
bzero(kif, sizeof(*kif));
@@ -3422,7 +3422,7 @@ kern_proc_filedesc_out(struct proc *p, struct sbuf *sb, ssize_t maxlen)
export_fd_to_sb(data, KF_TYPE_VNODE, KF_FD_TYPE_JAIL,
FREAD, -1, -1, NULL, efbuf);
}
- for (i = 0; i < fdp->fd_nfiles; i++) {
+ for (i = 0; fdp->fd_refcnt > 0 && i < fdp->fd_nfiles; i++) {
if ((fp = fdp->fd_ofiles[i].fde_file) == NULL)
continue;
data = NULL;
OpenPOWER on IntegriCloud