Fix sendfile(2) write-only file permission bypass.

Security: FreeBSD-SA-08:03.sendfile Submitted by: kib
2008-02-14 11:44:31 +00:00 · 2008-02-14 11:44:31 +00:00 · 1b7089994c
commit 1b7089994c
parent b4437c3d32
2 changed files with 18 additions and 15 deletions
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@ -2050,7 +2050,7 @@ _fgetvp(struct thread *td, int fd, struct vnode **vpp, int flags)
 	int error;

 	*vpp = NULL;
-	if ((error = _fget(td, fd, &fp, 0, 0)) != 0)
+	if ((error = _fget(td, fd, &fp, flags, 0)) != 0)
 		return (error);
 	if (fp->f_vnode == NULL) {
 		error = EINVAL;
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@ -1796,20 +1796,23 @@ kern_sendfile(struct thread *td, struct sendfile_args *uap,
 		goto out;
 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
-	obj = vp->v_object;
-	if (obj != NULL) {
-		/*
-		 * Temporarily increase the backing VM object's reference
-		 * count so that a forced reclamation of its vnode does not
-		 * immediately destroy it.
-		 */
-		VM_OBJECT_LOCK(obj);
-		if ((obj->flags & OBJ_DEAD) == 0) {
-			vm_object_reference_locked(obj);
-			VM_OBJECT_UNLOCK(obj);
-		} else {
-			VM_OBJECT_UNLOCK(obj);
-			obj = NULL;
+	if (vp->v_type == VREG) {
+		obj = vp->v_object;
+		if (obj != NULL) {
+			/*
+			 * Temporarily increase the backing VM
+			 * object's reference count so that a forced
+			 * reclamation of its vnode does not
+			 * immediately destroy it.
+			 */
+			VM_OBJECT_LOCK(obj);
+			if ((obj->flags & OBJ_DEAD) == 0) {
+				vm_object_reference_locked(obj);
+				VM_OBJECT_UNLOCK(obj);
+			} else {
+				VM_OBJECT_UNLOCK(obj);
+				obj = NULL;
+			}
 		}
 	}
 	VOP_UNLOCK(vp, 0);