On Tue, Feb 25, 2014 at 01:08:43PM -0500, John Baldwin wrote: > On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote: > > Author: mjg > > Date: Fri Feb 21 22:29:09 2014 > > New Revision: 262309 > > URL: http://svnweb.freebsd.org/changeset/base/262309 > > > > Log: > > Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading > > to use-after-free. > > > > fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but > > kern_proc_{o,}filedesc_out only checked for hold count. > > Can you describe the race in more detail? The kern_* routines hold > FILEDESC_SLOCK() while they read the file which should prevent > fdescfree() from free'ing any files. Note that fdfree() (called > under FILEDESC_XLOCK() clears the file pointer to NULL via the > bzero(), so the sysctl handler should only see non-NULL pointers > for files that are not yet free'd. >
oops, you are right. I somehow misread the code. Still, the change is harmless and matches other loop which iterates the table (see sysctl_kern_file), so I think it can stay. Other thing is that with that change in place we can get rid of XLOCK/XUNLOCK around fdfree in fdescfree. -- Mateusz Guzik <mjguzik gmail.com> _______________________________________________ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
