Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern PR/56286: Martin Husemann: Fix NULL deref on kmod l...



details:   https://anonhg.NetBSD.org/src/rev/ac43f1ff2e58
branches:  trunk
changeset: 1022032:ac43f1ff2e58
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Jun 30 11:20:32 2021 +0000

description:
PR/56286: Martin Husemann: Fix NULL deref on kmod load.
- No need to set ret_domove and ret_fd in the regular case, they are meaningless
- KASSERT instead of setting errno and then doing the NULL deref.

diffstat:

 sys/kern/vfs_vnops.c |  41 +++++++++++++----------------------------
 1 files changed, 13 insertions(+), 28 deletions(-)

diffs (65 lines):

diff -r 06a47aaaaadd -r ac43f1ff2e58 sys/kern/vfs_vnops.c
--- a/sys/kern/vfs_vnops.c      Wed Jun 30 10:56:24 2021 +0000
+++ b/sys/kern/vfs_vnops.c      Wed Jun 30 11:20:32 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vfs_vnops.c,v 1.216 2021/06/29 22:40:53 dholland Exp $ */
+/*     $NetBSD: vfs_vnops.c,v 1.217 2021/06/30 11:20:32 christos Exp $ */
 
 /*-
  * Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_vnops.c,v 1.216 2021/06/29 22:40:53 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_vnops.c,v 1.217 2021/06/30 11:20:32 christos Exp $");
 
 #include "veriexec.h"
 
@@ -328,35 +328,20 @@
 out:
        pathbuf_stringcopy_put(nd.ni_pathbuf, pathstring);
 
-       /* if the caller isn't prepared to handle fds, fail for them */
-       if (ret_fd == NULL && (error == EDUPFD || error == EMOVEFD)) {
-               /*
-                * XXX: for EMOVEFD (cloning devices) this leaks the
-                * device's file descriptor. That's not good, but
-                * fixing it here would still be a layer violation and
-                * callers not currently prepared to deal weren't
-                * prepared before I rearranged things either and
-                * would still have leaked the fd, so it's at least
-                * not a regression.
-                *    -- dholland 20210627
-                */
-               error = EOPNOTSUPP;
-       }
-
-       if (error == EDUPFD) {
+       switch (error) {
+       case EDUPFD:
+       case EMOVEFD:
+               /* if the caller isn't prepared to handle fds, fail for them */
+               KASSERTMSG(ret_domove && ret_fd,
+                   "caller did not supply ret_domove and ret_fd for %d",
+                   error);
                *ret_vp = NULL;
-               *ret_domove = false;
+               *ret_domove = error == EMOVEFD;
                *ret_fd = l->l_dupfd;
-               error = 0;
-       } else if (error == EMOVEFD) {
-               *ret_vp = NULL;
-               *ret_domove = true;
-               *ret_fd = l->l_dupfd;
-               error = 0;
-       } else if (error == 0) {
+               break;
+       case 0:
                *ret_vp = vp;
-               *ret_domove = false;
-               *ret_fd = -1;
+               break;
        }
        l->l_dupfd = 0;
        return error;



Home | Main Index | Thread Index | Old Index