The nandsim(4) simulator driver doesn't have any protection against

races at least in its ioctl handler, and at the same time it creates device entry with 0666 permissions. To plug possible issues in it: - Mark it as needing Giant. - Switch device mode to 0600. Submitted by: C Turt Reviewed by: imp MFC after: 1 week Security: Possible double free in ioctl handler
2017-05-04 20:42:31 +00:00 · 2017-05-04 20:42:31 +00:00 · 93ed1e805b
commit 93ed1e805b
parent d4acedbc64
1 changed files with 2 additions and 1 deletions
--- a/sys/dev/nand/nandsim.c
+++ b/sys/dev/nand/nandsim.c
@ -71,6 +71,7 @@ static struct nandsim_chip *get_nandsim_chip(uint8_t, uint8_t);

 static struct cdevsw nandsim_cdevsw = {
 	.d_version =    D_VERSION,
+	.d_flags =	D_NEEDGIANT,
 	.d_ioctl =      nandsim_ioctl,
 	.d_name =       "nandsim",
 };
@ -639,7 +640,7 @@ nandsim_modevent(module_t mod __unused, int type, void *data __unused)
 	switch (type) {
 	case MOD_LOAD:
 		nandsim_dev = make_dev(&nandsim_cdevsw, 0,
-		    UID_ROOT, GID_WHEEL, 0666, "nandsim.ioctl");
+		    UID_ROOT, GID_WHEEL, 0600, "nandsim.ioctl");
 		break;
 	case MOD_UNLOAD:
 		for (i = 0; i < MAX_SIM_DEV; i++) {