aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2008-02-14 11:47:39 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2008-02-14 11:47:39 +0000
commita3287dcbb9906efb2b0db7880b99b22e377c82cb (patch)
tree2b0cf013fea582a5092c87ffbe7f534ffc96d03f
parente901cc3b3dd3f7fd620e4290d8903b753bf6bfa9 (diff)
downloadsrc-a3287dcbb9906efb2b0db7880b99b22e377c82cb.tar.gz
src-a3287dcbb9906efb2b0db7880b99b22e377c82cb.zip
Fix sendfile(2) write-only file permission bypass.
Security: FreeBSD-SA-08:03.sendfile Approved by: so (simon)
Notes
Notes: svn path=/releng/6.1/; revision=176272
-rw-r--r--UPDATING3
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/kern/kern_descrip.c2
-rw-r--r--sys/kern/uipc_syscalls.c5
4 files changed, 8 insertions, 4 deletions
diff --git a/UPDATING b/UPDATING
index fce1957ad575..118be560cf18 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,9 @@ Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20080214: p23 FreeBSD-SA-08:02.sendfile
+ Fix sendfile(2) write-only file permission bypass.
+
20080114: p22 FreeBSD-SA-08:01.pty
Fix issues which allow snooping on ptys.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index ea2387524fae..d78740abaeb4 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.1"
-BRANCH="RELEASE-p22"
+BRANCH="RELEASE-p23"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index 9cd86a7376c1..2aab17928b8f 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -2031,7 +2031,7 @@ _fgetvp(struct thread *td, int fd, struct vnode **vpp, int flags)
int error;
*vpp = NULL;
- if ((error = _fget(td, fd, &fp, 0, 0)) != 0)
+ if ((error = _fget(td, fd, &fp, flags, 0)) != 0)
return (error);
if (fp->f_vnode == NULL) {
error = EINVAL;
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 6635cfe0c182..ff383fd2c53f 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1762,7 +1762,7 @@ static int
do_sendfile(struct thread *td, struct sendfile_args *uap, int compat)
{
struct vnode *vp;
- struct vm_object *obj;
+ struct vm_object *obj = NULL;
struct socket *so = NULL;
struct mbuf *m, *m_header = NULL;
struct sf_buf *sf;
@@ -1783,7 +1783,8 @@ do_sendfile(struct thread *td, struct sendfile_args *uap, int compat)
if ((error = fgetvp_read(td, uap->fd, &vp)) != 0)
goto done;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- obj = vp->v_object;
+ if (vp->v_type == VREG)
+ obj = vp->v_object;
VOP_UNLOCK(vp, 0, td);
if (obj == NULL) {
error = EINVAL;