Fix a race between getvnode() dereferencing half-constructed file

and dupfdopen(). Reported and tested by: pho MFC after: 3 days
2011-11-24 20:34:06 +00:00 · 2011-11-24 20:34:06 +00:00 · 561984be06
commit 561984be06
parent 24d1b19ec4
1 changed files with 14 additions and 1 deletions
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@ -4344,7 +4344,20 @@ getvnode(struct filedesc *fdp, int fd, cap_rights_t rights,
 		fp = fp_fromcap;
 	}
 #endif /* CAPABILITIES */
-	if (fp->f_vnode == NULL) {
+
+	/*
+	 * The file could be not of the vnode type, or it may be not
+	 * yet fully initialized, in which case the f_vnode pointer
+	 * may be set, but f_ops is still badfileops.  E.g.,
+	 * devfs_open() transiently create such situation to
+	 * facilitate csw d_fdopen().
+	 *
+	 * Dupfdopen() handling in kern_openat() installs the
+	 * half-baked file into the process descriptor table, allowing
+	 * other thread to dereference it. Guard against the race by
+	 * checking f_ops.
+	 */
+	if (fp->f_vnode == NULL || fp->f_ops == &badfileops) {
 		fdrop(fp, curthread);
 		return (EINVAL);
 	}