diff options
author | trasz <trasz@FreeBSD.org> | 2012-05-22 19:43:20 +0000 |
---|---|---|
committer | trasz <trasz@FreeBSD.org> | 2012-05-22 19:43:20 +0000 |
commit | b2747e472ec736a0a4eb202e6b08a8629bad1bf4 (patch) | |
tree | 30130d440e9ea105ec69c6681c908cd6bf3352ce /sys/kern/kern_jail.c | |
parent | d10fe1dadcfba4c08048202f8ce1a456a7538882 (diff) | |
download | FreeBSD-src-b2747e472ec736a0a4eb202e6b08a8629bad1bf4.zip FreeBSD-src-b2747e472ec736a0a4eb202e6b08a8629bad1bf4.tar.gz |
Fix use-after-free in kern_jail_set() triggered e.g. by attempts
to clear "persist" flag from empty persistent jail, like this:
jail -c persist=1
jail -n 1 -m persist=0
Submitted by: Mateusz Guzik <mjguzik at gmail dot com>
MFC after: 2 weeks
Diffstat (limited to 'sys/kern/kern_jail.c')
-rw-r--r-- | sys/kern/kern_jail.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 492594d..4639e3c 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -1811,6 +1811,16 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) } } +#ifdef RACCT + if (!created) { + sx_sunlock(&allprison_lock); + prison_racct_modify(pr); + sx_slock(&allprison_lock); + } +#endif + + td->td_retval[0] = pr->pr_id; + /* * Now that it is all there, drop the temporary reference from existing * prisons. Or add a reference to newly created persistent prisons @@ -1832,12 +1842,6 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) sx_sunlock(&allprison_lock); } -#ifdef RACCT - if (!created) - prison_racct_modify(pr); -#endif - - td->td_retval[0] = pr->pr_id; goto done_errmsg; done_deref_locked: |