Date: Fri, 8 Feb 2019 04:06:48 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r343890 - head/sys/kern Message-ID: <201902080406.x1846mc5086192@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Fri Feb 8 04:06:48 2019 New Revision: 343890 URL: https://svnweb.freebsd.org/changeset/base/343890 Log: do_execve(): lock vnode when needed. Code after exec_fail_dealloc label expects that the image vnode is locked if present. When copyout() of the strings or auxv vectors fails, goto to the error handling did not relocked the vnode as required. The copyout() can be made failing e.g. by creating an ELF image with PT_GNU_STACK segment disabling the write. Reported by: Jonathan Stuart <n0t.jcs@gmail.com> (found by fuzzing) Sponsored by: The FreeBSD Foundation MFC after: 3 days Modified: head/sys/kern/kern_exec.c Modified: head/sys/kern/kern_exec.c ============================================================================== --- head/sys/kern/kern_exec.c Fri Feb 8 03:31:38 2019 (r343889) +++ head/sys/kern/kern_exec.c Fri Feb 8 04:06:48 2019 (r343890) @@ -696,8 +696,10 @@ interpret: else error = suword(--stack_base, imgp->args->argc) == 0 ? 0 : EFAULT; - if (error != 0) + if (error != 0) { + vn_lock(imgp->vp, LK_SHARED | LK_RETRY); goto exec_fail_dealloc; + } if (args->fdp != NULL) { /* Install a brand new file descriptor table. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902080406.x1846mc5086192>