For non-stopped threads, td_frame pointer is undefined. As a

consequence, fill_regs() and fill_fpregs() access random data, usually
on the thread kernel stack. Most often the td_frame points to the
previous frame saved by last kernel entry sequence, but this is not
guaranteed.

For /proc/<pid>/{regs,fpregs} read access, require the thread to be in
stopped state. Otherwise, return EBUSY as is done for write case.

Reported and tested by:	pho
Approved by:	des (procfs maintainer)
MFC after:	1 week

2 files changed, 8 insertions, 0 deletions

diff --git a/sys/fs/procfs/procfs_fpregs.c b/sys/fs/procfs/procfs_fpregs.c
index c35b066..541efed 100644
--- a/sys/fs/procfs/procfs_fpregs.c
+++ b/sys/fs/procfs/procfs_fpregs.c
@@ -97,6 +97,10 @@ procfs_doprocfpregs(PFS_FILL_ARGS)
 		PROC_UNLOCK(p);
 		return (EPERM);
 	}
+	if (!P_SHOULDSTOP(p)) {
+		PROC_UNLOCK(p);
+		return (EBUSY);
+	}
 
 	/* XXXKSE: */
 	td2 = FIRST_THREAD_IN_PROC(p);
diff --git a/sys/fs/procfs/procfs_regs.c b/sys/fs/procfs/procfs_regs.c
index 5bf1c0a..605d1c6 100644
--- a/sys/fs/procfs/procfs_regs.c
+++ b/sys/fs/procfs/procfs_regs.c
@@ -97,6 +97,10 @@ procfs_doprocregs(PFS_FILL_ARGS)
 		PROC_UNLOCK(p);
 		return (EPERM);
 	}
+	if (!P_SHOULDSTOP(p)) {
+		PROC_UNLOCK(p);
+		return (EBUSY);
+	}
 
 	/* XXXKSE: */
 	td2 = FIRST_THREAD_IN_PROC(p);