Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Elad Efrat <elad@NetBSD.org>
List: netbsd-bugs
Date: 12/23/2006 16:00:06
The following reply was made to PR kern/35278; it has been noted by GNATS.
From: Elad Efrat <elad@NetBSD.org>
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
Date: Sat, 23 Dec 2006 17:57:02 +0200
This is a multi-part message in MIME format.
--------------040409000104060702060305
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
YAMAMOTO Takashi wrote:
> now you are leaking pnbuf, i think.
> VOP_REMOVE doesn't free pnbuf for you.
heh, right, see diff..
-e.
--------------040409000104060702060305
Content-Type: text/plain;
name="pr35278.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pr35278.diff"
Index: kern_exec.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.233
diff -u -p -r1.233 kern_exec.c
--- kern_exec.c 20 Dec 2006 11:35:29 -0000 1.233
+++ kern_exec.c 22 Dec 2006 09:37:46 -0000
@@ -286,15 +286,16 @@ check_exec(struct lwp *l, struct exec_pa
VOP_UNLOCK(vp, 0);
#if NVERIEXEC > 0
- if ((error = veriexec_verify(l, vp, epp->ep_ndp->ni_dirp,
+ if ((error = veriexec_verify(l, vp, ndp->ni_cnd.cn_pnbuf,
epp->ep_flags & EXEC_INDIR ? VERIEXEC_INDIRECT : VERIEXEC_DIRECT,
NULL)) != 0)
- goto bad2;
+ goto bad2;
#endif /* NVERIEXEC > 0 */
#ifdef PAX_SEGVGUARD
- if (pax_segvguard(l, vp, epp->ep_ndp->ni_dirp, FALSE))
- return (EPERM);
+ error = pax_segvguard(l, vp, ndp->ni_cnd.cn_pnbuf, FALSE);
+ if (error)
+ goto bad2;
#endif /* PAX_SEGVGUARD */
/* now we have the file, get the exec header */
Index: vfs_syscalls.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.281
diff -u -p -r1.281 vfs_syscalls.c
--- vfs_syscalls.c 14 Dec 2006 09:24:54 -0000 1.281
+++ vfs_syscalls.c 22 Dec 2006 14:39:20 -0000
@@ -2017,7 +2017,7 @@ sys_unlink(struct lwp *l, void *v, regis
struct nameidata nd;
restart:
- NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE,
+ NDINIT(&nd, DELETE, LOCKPARENT | LOCKLEAF | SAVENAME, UIO_USERSPACE,
SCARG(uap, path), l);
if ((error = namei(&nd)) != 0)
return (error);
@@ -2039,7 +2039,7 @@ restart:
#if NVERIEXEC > 0
/* Handle remove requests for veriexec entries. */
- if ((error = veriexec_removechk(vp, nd.ni_dirp, l)) != 0) {
+ if ((error = veriexec_removechk(vp, nd.ni_cnd.cn_pnbuf, l)) != 0) {
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
if (nd.ni_dvp == vp)
vrele(nd.ni_dvp);
@@ -2049,7 +2049,7 @@ restart:
goto out;
}
#endif /* NVERIEXEC > 0 */
-
+
if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) {
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
if (nd.ni_dvp == vp)
@@ -2059,9 +2059,10 @@ restart:
vput(vp);
if ((error = vn_start_write(NULL, &mp,
V_WAIT | V_SLEEPONLY | V_PCATCH)) != 0)
- return (error);
+ goto out;
goto restart;
}
+ PNBUF_PUT(nd.ni_cnd.cn_pnbuf);
VOP_LEASE(nd.ni_dvp, l, l->l_cred, LEASE_WRITE);
VOP_LEASE(vp, l, l->l_cred, LEASE_WRITE);
#ifdef FILEASSOC
@@ -3309,8 +3310,8 @@ rename_files(const char *from, const cha
struct proc *p;
int error;
- NDINIT(&fromnd, DELETE, LOCKPARENT | SAVESTART, UIO_USERSPACE,
- from, l);
+ NDINIT(&fromnd, DELETE, LOCKPARENT | SAVESTART | SAVENAME,
+ UIO_USERSPACE, from, l);
if ((error = namei(&fromnd)) != 0)
return (error);
VOP_UNLOCK(fromnd.ni_dvp, 0);
@@ -3326,7 +3327,8 @@ rename_files(const char *from, const cha
return (error);
}
NDINIT(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE | SAVESTART |
- (fvp->v_type == VDIR ? CREATEDIR : 0), UIO_USERSPACE, to, l);
+ (fvp->v_type == VDIR ? CREATEDIR : 0) | SAVENAME,
+ UIO_USERSPACE, to, l);
if ((error = namei(&tond)) != 0) {
VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd);
vrele(fromnd.ni_dvp);
@@ -3365,8 +3367,8 @@ rename_files(const char *from, const cha
#if NVERIEXEC > 0
if (!error)
- error = veriexec_renamechk(fvp, fromnd.ni_dirp, tvp,
- tond.ni_dirp, l);
+ error = veriexec_renamechk(fvp, fromnd.ni_cnd.cn_pnbuf,
+ tvp, tond.ni_cnd.cn_pnbuf, l);
#endif /* NVERIEXEC > 0 */
out:
--------------040409000104060702060305--