Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Elad Efrat <elad@NetBSD.org>
List: netbsd-bugs
Date: 12/23/2006 16:00:06
The following reply was made to PR kern/35278; it has been noted by GNATS.

From: Elad Efrat <elad@NetBSD.org>
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
Date: Sat, 23 Dec 2006 17:57:02 +0200

 This is a multi-part message in MIME format.
 --------------040409000104060702060305
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 YAMAMOTO Takashi wrote:
 
 > now you are leaking pnbuf, i think.
 > VOP_REMOVE doesn't free pnbuf for you.
 
 heh, right, see diff..
 
 -e.
 
 
 --------------040409000104060702060305
 Content-Type: text/plain;
  name="pr35278.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="pr35278.diff"
 
 Index: kern_exec.c
 ===================================================================
 RCS file: /usr/cvs/src/sys/kern/kern_exec.c,v
 retrieving revision 1.233
 diff -u -p -r1.233 kern_exec.c
 --- kern_exec.c	20 Dec 2006 11:35:29 -0000	1.233
 +++ kern_exec.c	22 Dec 2006 09:37:46 -0000
 @@ -286,15 +286,16 @@ check_exec(struct lwp *l, struct exec_pa
  	VOP_UNLOCK(vp, 0);
  
  #if NVERIEXEC > 0
 -        if ((error = veriexec_verify(l, vp, epp->ep_ndp->ni_dirp,
 +	if ((error = veriexec_verify(l, vp, ndp->ni_cnd.cn_pnbuf,
  	    epp->ep_flags & EXEC_INDIR ? VERIEXEC_INDIRECT : VERIEXEC_DIRECT,
  	    NULL)) != 0)
 -                goto bad2;
 +		goto bad2;
  #endif /* NVERIEXEC > 0 */
  
  #ifdef PAX_SEGVGUARD
 -	if (pax_segvguard(l, vp, epp->ep_ndp->ni_dirp, FALSE))
 -		return (EPERM);
 +	error = pax_segvguard(l, vp, ndp->ni_cnd.cn_pnbuf, FALSE);
 +	if (error)
 +		goto bad2;
  #endif /* PAX_SEGVGUARD */
  
  	/* now we have the file, get the exec header */
 Index: vfs_syscalls.c
 ===================================================================
 RCS file: /usr/cvs/src/sys/kern/vfs_syscalls.c,v
 retrieving revision 1.281
 diff -u -p -r1.281 vfs_syscalls.c
 --- vfs_syscalls.c	14 Dec 2006 09:24:54 -0000	1.281
 +++ vfs_syscalls.c	22 Dec 2006 14:39:20 -0000
 @@ -2017,7 +2017,7 @@ sys_unlink(struct lwp *l, void *v, regis
  	struct nameidata nd;
  
  restart:
 -	NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE,
 +	NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF | SAVENAME, UIO_USERSPACE,
  	    SCARG(uap, path), l);
  	if ((error = namei(&nd)) != 0)
  		return (error);
 @@ -2039,7 +2039,7 @@ restart:
  
  #if NVERIEXEC > 0
  	/* Handle remove requests for veriexec entries. */
 -	if ((error = veriexec_removechk(vp, nd.ni_dirp, l)) != 0) {
 +	if ((error = veriexec_removechk(vp, nd.ni_cnd.cn_pnbuf, l)) != 0) {
  		VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
  		if (nd.ni_dvp == vp)
  			vrele(nd.ni_dvp);
 @@ -2049,7 +2049,7 @@ restart:
  		goto out;
  	}
  #endif /* NVERIEXEC > 0 */
 -	
 +
  	if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) {
  		VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
  		if (nd.ni_dvp == vp)
 @@ -2059,9 +2059,10 @@ restart:
  		vput(vp);
  		if ((error = vn_start_write(NULL, &mp,
  		    V_WAIT | V_SLEEPONLY | V_PCATCH)) != 0)
 -			return (error);
 +			goto out;
  		goto restart;
  	}
 +	PNBUF_PUT(nd.ni_cnd.cn_pnbuf);
  	VOP_LEASE(nd.ni_dvp, l, l->l_cred, LEASE_WRITE);
  	VOP_LEASE(vp, l, l->l_cred, LEASE_WRITE);
  #ifdef FILEASSOC
 @@ -3309,8 +3310,8 @@ rename_files(const char *from, const cha
  	struct proc *p;
  	int error;
  
 -	NDINIT(&fromnd, DELETE, LOCKPARENT | SAVESTART, UIO_USERSPACE,
 -	    from, l);
 +	NDINIT(&fromnd, DELETE, LOCKPARENT | SAVESTART | SAVENAME,
 +	    UIO_USERSPACE, from, l);
  	if ((error = namei(&fromnd)) != 0)
  		return (error);
  	VOP_UNLOCK(fromnd.ni_dvp, 0);
 @@ -3326,7 +3327,8 @@ rename_files(const char *from, const cha
  		return (error);
  	}
  	NDINIT(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE | SAVESTART |
 -	    (fvp->v_type == VDIR ? CREATEDIR : 0), UIO_USERSPACE, to, l);
 +	    (fvp->v_type == VDIR ? CREATEDIR : 0) | SAVENAME,
 +	     UIO_USERSPACE, to, l);
  	if ((error = namei(&tond)) != 0) {
  		VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd);
  		vrele(fromnd.ni_dvp);
 @@ -3365,8 +3367,8 @@ rename_files(const char *from, const cha
  
  #if NVERIEXEC > 0
  	if (!error)
 -		error = veriexec_renamechk(fvp, fromnd.ni_dirp, tvp,
 -		    tond.ni_dirp, l);
 +		error = veriexec_renamechk(fvp, fromnd.ni_cnd.cn_pnbuf,
 +		    tvp, tond.ni_cnd.cn_pnbuf, l);
  #endif /* NVERIEXEC > 0 */
  
  out:
 
 
 --------------040409000104060702060305--