HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS350199

Check and avoid overflow when incrementing fp->f_count in
rS350199
Actions

Description

Check and avoid overflow when incrementing fp->f_count in
fget_unlocked() and fhold().

On sufficiently large machine, f_count can be legitimately very large,
e.g. malicious code can dup same fd up to the per-process
filedescriptors limit, and then fork as much as it can.
On some smaller machine, I see
kern.maxfilesperproc: 939132
kern.maxprocperuid: 34203
which already overflows u_int. More, the malicious code can create
transient references by sending fds over unix sockets.

I realized that this check is missed after reading
https://secfault-security.com/blog/FreeBSD-SA-1902.fd.html

Reviewed by: markj (previous version), mjg
Tested by: pho (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D20947

Details

Provenance
kibAuthored on
Reviewer
markj
Differential Revision
D20947: Check and avoid overflow when incrementing fp->f_count in fget_unlocked() and fhold().
Parents
rS350198: MFC r349952
Branches
Unknown
Tags
Unknown

Changes (5)

PathSize
head/
sys/
kern/
sys/

rS350199

View Options

head/sys/kern/kern_descrip.c

Loading...
View Options

head/sys/kern/sys_generic.c

Loading...
View Options

head/sys/kern/uipc_usrreq.c

Loading...
View Options

head/sys/sys/file.h

Loading...
View Options

head/sys/sys/refcount.h

Loading...