Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern Fix kernel pointer leaks in the kern.file sysctl, s...



details:   https://anonhg.NetBSD.org/src/rev/512e2782f359
branches:  trunk
changeset: 994848:512e2782f359
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sat Nov 24 16:41:48 2018 +0000

description:
Fix kernel pointer leaks in the kern.file sysctl, same as kern.file2.

diffstat:

 sys/kern/kern_descrip.c |  43 +++++++++++++++++++++++++++++++++++++------
 1 files changed, 37 insertions(+), 6 deletions(-)

diffs (96 lines):

diff -r cbb73c367d36 -r 512e2782f359 sys/kern/kern_descrip.c
--- a/sys/kern/kern_descrip.c   Sat Nov 24 16:25:20 2018 +0000
+++ b/sys/kern/kern_descrip.c   Sat Nov 24 16:41:48 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_descrip.c,v 1.240 2018/11/24 16:25:20 maxv Exp $  */
+/*     $NetBSD: kern_descrip.c,v 1.241 2018/11/24 16:41:48 maxv Exp $  */
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_descrip.c,v 1.240 2018/11/24 16:25:20 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_descrip.c,v 1.241 2018/11/24 16:41:48 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -118,6 +118,7 @@
 
 static int sysctl_kern_file(SYSCTLFN_PROTO);
 static int sysctl_kern_file2(SYSCTLFN_PROTO);
+static void fill_file(struct file *, const struct file *);
 static void fill_file2(struct kinfo_file *, const file_t *, const fdfile_t *,
                      int, pid_t);
 
@@ -1990,6 +1991,8 @@
 static int
 sysctl_kern_file(SYSCTLFN_ARGS)
 {
+       const bool allowaddr = get_expose_address(curproc);
+       struct filelist flist;
        int error;
        size_t buflen;
        struct file *fp, fbuf;
@@ -2016,13 +2019,18 @@
                return 0;
        }
        sysctl_unlock();
-       error = sysctl_copyout(l, &filehead, where, sizeof(filehead));
+       if (allowaddr) {
+               memcpy(&flist, &filehead, sizeof(flist));
+       } else {
+               memset(&flist, 0, sizeof(flist));
+       }
+       error = sysctl_copyout(l, &flist, where, sizeof(flist));
        if (error) {
                sysctl_relock();
                return error;
        }
-       buflen -= sizeof(filehead);
-       where += sizeof(filehead);
+       buflen -= sizeof(flist);
+       where += sizeof(flist);
 
        /*
         * followed by an array of file structures
@@ -2090,7 +2098,7 @@
                                break;
                        }
 
-                       memcpy(&fbuf, fp, sizeof(fbuf));
+                       fill_file(&fbuf, fp);
                        mutex_exit(&fp->f_lock);
                        error = sysctl_copyout(l, &fbuf, where, sizeof(fbuf));
                        if (error) {
@@ -2286,6 +2294,29 @@
 }
 
 static void
+fill_file(struct file *fp, const struct file *fpsrc)
+{
+       const bool allowaddr = get_expose_address(curproc);
+
+       memset(fp, 0, sizeof(*fp));
+
+       fp->f_offset = fpsrc->f_offset;
+       COND_SET_VALUE(fp->f_cred, fpsrc->f_cred, allowaddr);
+       COND_SET_VALUE(fp->f_ops, fpsrc->f_ops, allowaddr);
+       COND_SET_VALUE(fp->f_undata, fpsrc->f_undata, allowaddr);
+       COND_SET_VALUE(fp->f_list, fpsrc->f_list, allowaddr);
+       COND_SET_VALUE(fp->f_lock, fpsrc->f_lock, allowaddr);
+       fp->f_flag = fpsrc->f_flag;
+       fp->f_marker = fpsrc->f_marker;
+       fp->f_type = fpsrc->f_type;
+       fp->f_advice = fpsrc->f_advice;
+       fp->f_count = fpsrc->f_count;
+       fp->f_msgcount = fpsrc->f_msgcount;
+       fp->f_unpcount = fpsrc->f_unpcount;
+       COND_SET_VALUE(fp->f_unplist, fpsrc->f_unplist, allowaddr);
+}
+
+static void
 fill_file2(struct kinfo_file *kp, const file_t *fp, const fdfile_t *ff,
          int i, pid_t pid)
 {



Home | Main Index | Thread Index | Old Index