Permalink
Browse files

7696 procfs lacks adequate access checks for CREAT actions

Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Alex Wilson <alex.wilson@joyent.com>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
  • Loading branch information...
pfmooney authored and rmustacc committed Dec 17, 2016
1 parent de48325 commit fee52838cd1191a3efe83b67de7bccdd401af35e
Showing with 30 additions and 16 deletions.
  1. +30 −16 usr/src/uts/common/fs/proc/prvnops.c
@@ -21,7 +21,7 @@
/*
* Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2014, Joyent, Inc. All rights reserved.
+ * Copyright 2016 Joyent, Inc.
*/
/* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
@@ -3428,32 +3428,46 @@ prcreate(vnode_t *dp, char *comp, vattr_t *vap, vcexcl_t excl,
if ((error = prlookup(dp, comp, vpp, NULL, 0, NULL, cr,
ct, NULL, NULL)) != 0) {
- if (error == ENOENT) /* can't O_CREAT nonexistent files */
- error = EACCES; /* unwriteable directories */
- } else {
- if (excl == EXCL) /* O_EXCL */
- error = EEXIST;
- else if (vap->va_mask & AT_SIZE) { /* O_TRUNC */
+ if (error == ENOENT) {
+ /* One can't O_CREAT nonexistent files in /proc. */
+ error = EACCES;
+ }
+ return (error);
+ }
+
+ if (excl == EXCL) {
+ /* Disallow the O_EXCL case */
+ error = EEXIST;
+ } else if ((error = praccess(*vpp, mode, 0, cr, ct)) == 0) {
+ /* Before proceeding, handle O_TRUNC if necessary. */
+ if (vap->va_mask & AT_SIZE) {
vnode_t *vp = *vpp;
- uint_t mask;
- if (vp->v_type == VDIR)
+ if (vp->v_type == VDIR) {
+ /* Only allow O_TRUNC on files */
error = EISDIR;
- else if (vp->v_type != VPROC ||
- VTOP(vp)->pr_type != PR_FD)
+ } else if (vp->v_type != VPROC ||
+ VTOP(vp)->pr_type != PR_FD) {
+ /*
+ * Disallow for files outside of the
+ * /proc/<pid>/fd/<n> entries
+ */
error = EACCES;
- else { /* /proc/<pid>/fd/<n> */
+ } else {
+ uint_t mask;
+
vp = VTOP(vp)->pr_realvp;
mask = vap->va_mask;
vap->va_mask = AT_SIZE;
error = VOP_SETATTR(vp, vap, 0, cr, ct);
vap->va_mask = mask;
}
}
- if (error) {
- VN_RELE(*vpp);
- *vpp = NULL;
- }
+ }
+
+ if (error) {
+ VN_RELE(*vpp);
+ *vpp = NULL;
}
return (error);
}

0 comments on commit fee5283

Please sign in to comment.