aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2009-10-02 18:09:56 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2009-10-02 18:09:56 +0000
commit021dc5c364aeabaf6cdea2feac0c1301fdcf83c7 (patch)
tree008da0c476d61220fdf6aa229d62b0e761cbf297
parent7cc4540e3901660a7899288dbae64b5440777100 (diff)
downloadsrc-021dc5c364aeabaf6cdea2feac0c1301fdcf83c7.tar.gz
src-021dc5c364aeabaf6cdea2feac0c1301fdcf83c7.zip
MFC r197711 (partial) to 6.x and 7.x:
- Add no zero mapping feature, disabled by default. [EN-09:05] MFC 178913,178914,179242,179243,180336,180340 to 6.x: - Fix kqueue pipe race conditions. [SA-09:13] MFC r192301 to 7.x; 6.x has slightly different fix: - Fix devfs / VFS NULL pointer race condition. [SA-09:14] Security: FreeBSD-SA-09:13.pipe Security: FreeBSD-SA-09:14.devfs Errata: FreeBSD-EN-09:05.null Submitted by: kib [SA-09:13] [SA-09:14] Submitted by: bz [EN-09:05] In collaboration with: jhb, kib, alc [EN-09:05] Approved by: so (simon)
Notes
Notes: svn path=/releng/7.2/; revision=197715
-rw-r--r--UPDATING5
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/fs/devfs/devfs_vnops.c1
-rw-r--r--sys/kern/kern_exec.c15
4 files changed, 19 insertions, 4 deletions
diff --git a/UPDATING b/UPDATING
index 19b109100088..6e613aa54f0c 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,11 @@ Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20091002: p4 FreeBSD-SA-09:14.devfs FreeBSD-EN-09:05.null
+ Fix devfs / VFS NULL pointer race condition. [SA-09:14]
+
+ Add no zero mapping feature. [EN-09:05]
+
20090729: p3 FreeBSD-SA-09:12.bind
Fix BIND named(8) dynamic update message remote DoS.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index bbf24306e398..f573105cfe88 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.2"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index 97f27b66f0b1..097a1c693733 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -890,6 +890,7 @@ devfs_open(struct vop_open_args *ap)
if (fp != NULL) {
FILE_LOCK(fp);
fp->f_data = dev;
+ fp->f_vnode = vp;
FILE_UNLOCK(fp);
}
fpop = td->td_fpop;
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index f760f6550994..12aad92b199e 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -122,6 +122,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / 16;
SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW,
&ps_arg_cache_limit, 0, "");
+static int map_at_zero = 1;
+TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero);
+SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0,
+ "Permit processes to map an object at virtual address 0.");
+
static int
sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS)
{
@@ -939,7 +944,7 @@ exec_new_vmspace(imgp, sv)
int error;
struct proc *p = imgp->proc;
struct vmspace *vmspace = p->p_vmspace;
- vm_offset_t stack_addr;
+ vm_offset_t sv_minuser, stack_addr;
vm_map_t map;
u_long ssiz;
@@ -955,13 +960,17 @@ exec_new_vmspace(imgp, sv)
* not disrupted
*/
map = &vmspace->vm_map;
- if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv->sv_minuser &&
+ if (map_at_zero)
+ sv_minuser = sv->sv_minuser;
+ else
+ sv_minuser = MAX(sv->sv_minuser, PAGE_SIZE);
+ if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv_minuser &&
vm_map_max(map) == sv->sv_maxuser) {
shmexit(vmspace);
pmap_remove_pages(vmspace_pmap(vmspace));
vm_map_remove(map, vm_map_min(map), vm_map_max(map));
} else {
- error = vmspace_exec(p, sv->sv_minuser, sv->sv_maxuser);
+ error = vmspace_exec(p, sv_minuser, sv->sv_maxuser);
if (error)
return (error);
vmspace = p->p_vmspace;