On 20/06/17(Tue) 13:51, Gerhard Roth wrote:
> Hi,
>
> file pointer may be incompletely initialized after falloc(). For example,
> sys_socket() initializes 'f_flag', 'f_type', and 'f_ops' but may sleep
> then in socreate() before assigning 'f_data'.
>
> That is why there is the FIF_LARVAL flag, that is check by the macro
> FILE_IS_USABLE(). Of the three different operations sysctl_file()
> implements, two of them (namely KERN_FILE_BYPID and KERN_FILE_BYUID)
> use the FILE_IS_USABLE() to keep hand off incomplete file pointers.
> Yet the third operation (KERN_FILE_BYFILE) doesn't. That can yield
> a fault when dereferencing fp->f_data.
>
> The fix is rather straightforward.
ok mpi@
> Index: sys/kern/kern_sysctl.c
> ===================================================================
> RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
> retrieving revision 1.328
> diff -u -p -u -p -r1.328 kern_sysctl.c
> --- sys/kern/kern_sysctl.c 14 Jun 2017 03:00:40 -0000 1.328
> +++ sys/kern/kern_sysctl.c 20 Jun 2017 11:31:40 -0000
> @@ -1327,6 +1327,7 @@ sysctl_file(int *name, u_int namelen, ch
> FREF(fp);
> do {
> if (fp->f_count > 1 && /* 0, +1 for our FREF() */
> + FILE_IS_USABLE(fp) &&
> (arg == 0 || fp->f_type == arg)) {
> int af, skip = 0;
> if (arg == DTYPE_SOCKET && fp->f_type == arg) {
>
