[Glibc-bsd-commits] r2130 - in trunk/kfreebsd-6/debian: . patches

Fri Feb 15 07:51:38 UTC 2008

Author: ps-guest
Date: 2008-02-15 07:51:36 +0000 (Fri, 15 Feb 2008)
New Revision: 2130

Added:
   trunk/kfreebsd-6/debian/patches/000_sendfile.diff
Modified:
   trunk/kfreebsd-6/debian/changelog
   trunk/kfreebsd-6/debian/patches/series
Log:
* Fix sendfile(2) write-only file permission bypass
  (FreeBSD-SA-08:03.sendfile / CVE-2008-0777).



Modified: trunk/kfreebsd-6/debian/changelog
===================================================================

--- trunk/kfreebsd-6/debian/changelog	2008-02-08 17:03:06 UTC (rev 2129)
+++ trunk/kfreebsd-6/debian/changelog	2008-02-15 07:51:36 UTC (rev 2130)
@@ -1,3 +1,11 @@
+kfreebsd-6 (6.3-3) UNRELEASED; urgency=high
+
+  [ Petr Salinger ]
+  * Fix sendfile(2) write-only file permission bypass
+    (FreeBSD-SA-08:03.sendfile / CVE-2008-0777).
+
+ -- Aurelien Jarno <aurel32 at debian.org>  Fri, 15 Feb 2008 08:32:14 +0100
+
 kfreebsd-6 (6.3-2) unstable; urgency=low
 
   * Really build-depends on gcc-3.4. 

Added: trunk/kfreebsd-6/debian/patches/000_sendfile.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_sendfile.diff	                        (rev 0)
+++ trunk/kfreebsd-6/debian/patches/000_sendfile.diff	2008-02-15 07:51:36 UTC (rev 2130)
@@ -0,0 +1,61 @@
+Index: sys/kern/kern_descrip.c
+===================================================================
+RCS file: /home/ncvs/src/sys/kern/kern_descrip.c,v
+retrieving revision 1.313
+diff -u -d -r1.313 kern_descrip.c
+--- sys/kern/kern_descrip.c	6 Aug 2007 14:26:00 -0000	1.313
++++ sys/kern/kern_descrip.c	4 Feb 2008 19:05:42 -0000
+@@ -2046,7 +2046,7 @@
+ 	int error;
+ 
+ 	*vpp = NULL;
+-	if ((error = _fget(td, fd, &fp, 0, 0)) != 0)
++	if ((error = _fget(td, fd, &fp, flags, 0)) != 0)
+ 		return (error);
+ 	if (fp->f_vnode == NULL) {
+ 		error = EINVAL;
+Index: sys/kern/uipc_syscalls.c
+===================================================================
+RCS file: /home/ncvs/src/sys/kern/uipc_syscalls.c,v
+retrieving revision 1.259.2.1
+diff -u -d -r1.259.2.1 uipc_syscalls.c
+--- sys/kern/uipc_syscalls.c	1 Feb 2008 22:51:39 -0000	1.259.2.1
++++ sys/kern/uipc_syscalls.c	4 Feb 2008 19:05:42 -0000
+@@ -1796,20 +1796,23 @@
+ 		goto out;
+ 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
+ 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+-	obj = vp->v_object;
+-	if (obj != NULL) {
+-		/*
+-		 * Temporarily increase the backing VM object's reference
+-		 * count so that a forced reclamation of its vnode does not
+-		 * immediately destroy it.
+-		 */
+-		VM_OBJECT_LOCK(obj);
+-		if ((obj->flags & OBJ_DEAD) == 0) {
+-			vm_object_reference_locked(obj);
+-			VM_OBJECT_UNLOCK(obj);
+-		} else {
+-			VM_OBJECT_UNLOCK(obj);
+-			obj = NULL;
++	if (vp->v_type == VREG) {
++		obj = vp->v_object;
++		if (obj != NULL) {
++			/*
++			 * Temporarily increase the backing VM
++			 * object's reference count so that a forced
++			 * reclamation of its vnode does not
++			 * immediately destroy it.
++			 */
++			VM_OBJECT_LOCK(obj);
++			if ((obj->flags & OBJ_DEAD) == 0) {
++				vm_object_reference_locked(obj);
++				VM_OBJECT_UNLOCK(obj);
++			} else {
++				VM_OBJECT_UNLOCK(obj);
++				obj = NULL;
++			}
+ 		}
+ 	}
+ 	VOP_UNLOCK(vp, 0, td);

Modified: trunk/kfreebsd-6/debian/patches/series
===================================================================
--- trunk/kfreebsd-6/debian/patches/series	2008-02-08 17:03:06 UTC (rev 2129)
+++ trunk/kfreebsd-6/debian/patches/series	2008-02-15 07:51:36 UTC (rev 2130)
@@ -1,3 +1,4 @@
+000_sendfile.diff -p0
 000_nfe.diff -p0
 001_misc.diff -p0
 003_glibc_dev_aicasm.diff -p0


