Fix sendfile(2) write-only file permission bypass.

Security:	FreeBSD-SA-08:03.sendfile
Submitted by:	kib

1 files changed, 17 insertions, 14 deletions

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 789276e..9709376 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1796,20 +1796,23 @@ kern_sendfile(struct thread *td, struct sendfile_args *uap,
 		goto out;
 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
-	obj = vp->v_object;
-	if (obj != NULL) {
-		/*
-		 * Temporarily increase the backing VM object's reference
-		 * count so that a forced reclamation of its vnode does not
-		 * immediately destroy it.
-		 */
-		VM_OBJECT_LOCK(obj);
-		if ((obj->flags & OBJ_DEAD) == 0) {
-			vm_object_reference_locked(obj);
-			VM_OBJECT_UNLOCK(obj);
-		} else {
-			VM_OBJECT_UNLOCK(obj);
-			obj = NULL;
+	if (vp->v_type == VREG) {
+		obj = vp->v_object;
+		if (obj != NULL) {
+			/*
+			 * Temporarily increase the backing VM
+			 * object's reference count so that a forced
+			 * reclamation of its vnode does not
+			 * immediately destroy it.
+			 */
+			VM_OBJECT_LOCK(obj);
+			if ((obj->flags & OBJ_DEAD) == 0) {
+				vm_object_reference_locked(obj);
+				VM_OBJECT_UNLOCK(obj);
+			} else {
+				VM_OBJECT_UNLOCK(obj);
+				obj = NULL;
+			}
 		}
 	}
 	VOP_UNLOCK(vp, 0);