diff options
author | Xin LI <delphij@FreeBSD.org> | 2014-06-03 19:03:23 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2014-06-03 19:03:23 +0000 |
commit | caa09227514691d195fbd47cf9a0f6ea27447f80 (patch) | |
tree | 3242c21e29796ce7cf7976f13457679e4bde643c | |
parent | c5306947f754ae1c8e27f7039f58d7c3453abfac (diff) | |
download | src-test2-caa09227514691d195fbd47cf9a0f6ea27447f80.tar.gz src-test2-caa09227514691d195fbd47cf9a0f6ea27447f80.zip |
Fix sendmail improper close-on-exec flag handling. [SA-14:11]
Fix ktrace memory disclosure. [SA-14:12]
Fix triple-fault when executing from a threaded process. [EN-14:06]
Approved by: so
Notes
Notes:
svn path=/releng/8.4/; revision=267019
-rw-r--r-- | UPDATING | 11 | ||||
-rw-r--r-- | contrib/sendmail/src/conf.c | 4 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | sys/kern/kern_exec.c | 9 | ||||
-rw-r--r-- | sys/kern/kern_ktrace.c | 1 | ||||
-rw-r--r-- | sys/sys/proc.h | 1 | ||||
-rw-r--r-- | sys/vm/vm_map.c | 4 |
7 files changed, 28 insertions, 4 deletions
@@ -15,6 +15,17 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V: debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20140603: p11 FreeBSD-SA-14:11.sendmail + FreeBSD-SA-14:12.ktrace + FreeBSD-EN-14:06.exec + + Fix sendmail improper close-on-exec flag handling. [SA-14:11] + + Fix ktrace memory disclosure. [SA-14:12] + + Fix triple-fault when executing from a threaded process. + [EN-14:06] + 20140513: p10 FreeBSD-EN-14:03.pkg FreeBSD-EN-14:04.kldxref diff --git a/contrib/sendmail/src/conf.c b/contrib/sendmail/src/conf.c index edfa0c2bf664..3d5ff95d2896 100644 --- a/contrib/sendmail/src/conf.c +++ b/contrib/sendmail/src/conf.c @@ -5265,8 +5265,8 @@ closefd_walk(lowest, fd) */ void -sm_close_on_exec(highest, lowest) - int highest, lowest; +sm_close_on_exec(lowest, highest) + int lowest, highest; { #if HASFDWALK (void) fdwalk(closefd_walk, &lowest); diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 92c74374888b..2f33cc0d0853 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p10" +BRANCH="RELEASE-p11" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 1f50d1121e1d..bf0c9c4f2896 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -278,6 +278,7 @@ kern_execve(td, args, mac_p) struct mac *mac_p; { struct proc *p = td->td_proc; + struct vmspace *oldvmspace; int error; AUDIT_ARG_ARGV(args->begin_argv, args->argc, @@ -294,6 +295,8 @@ kern_execve(td, args, mac_p) PROC_UNLOCK(p); } + KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve")); + oldvmspace = td->td_proc->p_vmspace; error = do_execve(td, args, mac_p); if (p->p_flag & P_HADTHREADS) { @@ -308,6 +311,12 @@ kern_execve(td, args, mac_p) thread_single_end(); PROC_UNLOCK(p); } + if ((td->td_pflags & TDP_EXECVMSPC) != 0) { + KASSERT(td->td_proc->p_vmspace != oldvmspace, + ("oldvmspace still used")); + vmspace_free(oldvmspace); + td->td_pflags &= ~TDP_EXECVMSPC; + } return (error); } diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 84fc1843894c..aa50fa4f09e2 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -117,6 +117,7 @@ static int data_lengths[] = { 0, /* KTR_SYSCTL */ sizeof(struct ktr_proc_ctor), /* KTR_PROCCTOR */ 0, /* KTR_PROCDTOR */ + 0, /* unused */ sizeof(struct ktr_fault), /* KTR_FAULT */ sizeof(struct ktr_faultend), /* KTR_FAULTEND */ }; diff --git a/sys/sys/proc.h b/sys/sys/proc.h index eadd418beaf6..73fdc47a513b 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -938,4 +938,5 @@ curthread_pflags_restore(int save) #endif /* _KERNEL */ +#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */ #endif /* !_SYS_PROC_H_ */ diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 18442afc4518..aa7a7e99ca5f 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -3521,6 +3521,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser, vm_offset_t maxuser) struct vmspace *oldvmspace = p->p_vmspace; struct vmspace *newvmspace; + KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0, + ("vmspace_exec recursed")); newvmspace = vmspace_alloc(minuser, maxuser); if (newvmspace == NULL) return (ENOMEM); @@ -3537,7 +3539,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser, vm_offset_t maxuser) PROC_VMSPACE_UNLOCK(p); if (p == curthread->td_proc) pmap_activate(curthread); - vmspace_free(oldvmspace); + curthread->td_pflags |= TDP_EXECVMSPC; return (0); } |