diff options
| author | mjg <mjg@FreeBSD.org> | 2015-12-18 16:33:15 +0000 |
|---|---|---|
| committer | mjg <mjg@FreeBSD.org> | 2015-12-18 16:33:15 +0000 |
| commit | e70da8e2e976b377d257e1b3b13de2941a7e4d60 (patch) | |
| tree | e5617784c481aef03a1cc8e9f60f7fbd887db6ca | |
| parent | de5d4c25ab779a6fb9ecc67a45b7d63d1fd4b36e (diff) | |
| download | FreeBSD-src-e70da8e2e976b377d257e1b3b13de2941a7e4d60.zip FreeBSD-src-e70da8e2e976b377d257e1b3b13de2941a7e4d60.tar.gz | |
proc: fix a race which could result in dereference of bad p_pgrp pointer on fork
During fork p_starcopy - p_endcopy area of a process is populated with bcopy
with only proc lock held. Another forking thread can find such a process and
proceed to access p_pgrp included in said area.
Fix the problem by moving the field outside. It is being properly assigned
later.
Reviewed by: kib
Diagnosed by: kib
Tested by: Fabian Keil <freebsd-listen fabiankeil.de>
MFC after: 10 days
| -rw-r--r-- | sys/kern/kern_proc.c | 1 | ||||
| -rw-r--r-- | sys/sys/proc.h | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c index 8a3b6ca..bbedd9b 100644 --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -248,6 +248,7 @@ proc_init(void *mem, int size, int flags) TAILQ_INIT(&p->p_threads); /* all threads in proc */ EVENTHANDLER_INVOKE(process_init, p); p->p_stats = pstats_alloc(); + p->p_pgrp = NULL; SDT_PROBE3(proc, , init, return, p, size, flags); return (0); } diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 90effa6..cb94318 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -586,7 +586,6 @@ struct proc { int p_osrel; /* (x) osreldate for the binary (from ELF note, if any) */ char p_comm[MAXCOMLEN + 1]; /* (b) Process name. */ - struct pgrp *p_pgrp; /* (c + e) Pointer to process group. */ struct sysentvec *p_sysent; /* (b) Syscall dispatch info. */ struct pargs *p_args; /* (c) Process arguments. */ rlim_t p_cpulimit; /* (c) Current CPU limit in seconds. */ @@ -599,6 +598,7 @@ struct proc { u_int p_xsig; /* (c) Stop/kill sig. */ /* End area that is copied on creation. */ #define p_endcopy p_xsig + struct pgrp *p_pgrp; /* (c + e) Pointer to process group. */ struct knlist p_klist; /* (c) Knotes attached to this proc. */ int p_numthreads; /* (c) Number of threads. */ struct mdproc p_md; /* Any machine-dependent fields. */ |
