CommitterKonstantin Belousov (kib) (1)
AuthorKonstantin Belousov (kib) (1)
Branchesreleng/13.0 (1)


FreeBSD/src f1cf2b9 (r350199)sys/kern kern_descrip.c uipc_usrreq.c, sys/sys refcount.h file.h

by Konstantin Belousov (kib) on ⎇
Check and avoid overflow when incrementing fp->f_count in
fget_unlocked() and fhold().

On sufficiently large machine, f_count can be legitimately very large,
e.g. malicious code can dup same fd up to the per-process
filedescriptors limit, and then fork as much as it can.
On some smaller machine, I see
        kern.maxfilesperproc: 939132
        kern.maxprocperuid: 34203
which already overflows u_int.  More, the malicious code can create
transient references by sending fds over unix sockets.

I realized that this check is missed after reading
https://secfault-security.com/blog/FreeBSD-SA-1902.fd.html

Reviewed by:    markj (previous version), mjg
Tested by:      pho (previous version)
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D20947
DeltaFile
+36-15sys/kern/kern_descrip.c
+16-4sys/kern/uipc_usrreq.c
+14-0sys/sys/refcount.h
+6-2sys/sys/file.h
+5-1sys/kern/sys_generic.c
+77-225 files

UnifiedSplitRaw