Author: trasz
Date: Tue May 22 19:43:20 2012
New Revision: 235803
URL: http://svn.freebsd.org/changeset/base/235803
Log:
Fix use-after-free in kern_jail_set() triggered e.g. by attempts
to clear "persist" flag from empty persistent jail, like this:
jail -c persist=1
jail -n 1 -m persist=0
Submitted by: Mateusz Guzik <mjguzik at gmail dot com>
MFC after: 2 weeks
Modified:
head/sys/kern/kern_jail.c
Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c Tue May 22 19:40:54 2012 (r235802)
+++ head/sys/kern/kern_jail.c Tue May 22 19:43:20 2012 (r235803)
@@ -1811,6 +1811,16 @@ kern_jail_set(struct thread *td, struct
}
}
+#ifdef RACCT
+ if (!created) {
+ sx_sunlock(&allprison_lock);
+ prison_racct_modify(pr);
+ sx_slock(&allprison_lock);
+ }
+#endif
+
+ td->td_retval[0] = pr->pr_id;
+
/*
* Now that it is all there, drop the temporary reference from existing
* prisons. Or add a reference to newly created persistent prisons
@@ -1832,12 +1842,6 @@ kern_jail_set(struct thread *td, struct
sx_sunlock(&allprison_lock);
}
-#ifdef RACCT
- if (!created)
- prison_racct_modify(pr);
-#endif
-
- td->td_retval[0] = pr->pr_id;
goto done_errmsg;
done_deref_locked:
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
