proc: fix a race which could result in dereference of bad p_pgrp pointer on fork

During fork p_starcopy - p_endcopy area of a process is populated with bcopy with only proc lock held. Another forking thread can find such a process and proceed to access p_pgrp included in said area. Fix the problem by moving the field outside. It is being properly assigned later. Reviewed by: kib Diagnosed by: kib Tested by: Fabian Keil <freebsd-listen fabiankeil.de> MFC after: 10 days
author: mjg <mjg@FreeBSD.org> 2015-12-18 16:33:15 +0000
committer: mjg <mjg@FreeBSD.org> 2015-12-18 16:33:15 +0000
commit: e70da8e2e976b377d257e1b3b13de2941a7e4d60 (patch)
tree: e5617784c481aef03a1cc8e9f60f7fbd887db6ca /sys/kern/kern_proc.c
parent: de5d4c25ab779a6fb9ecc67a45b7d63d1fd4b36e (diff)
download: FreeBSD-src-e70da8e2e976b377d257e1b3b13de2941a7e4d60.zip
FreeBSD-src-e70da8e2e976b377d257e1b3b13de2941a7e4d60.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
index 8a3b6ca..bbedd9b 100644
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -248,6 +248,7 @@ proc_init(void *mem, int size, int flags)
 	TAILQ_INIT(&p->p_threads);	     /* all threads in proc */
 	EVENTHANDLER_INVOKE(process_init, p);
 	p->p_stats = pstats_alloc();
+	p->p_pgrp = NULL;
 	SDT_PROBE3(proc, , init, return, p, size, flags);
 	return (0);
 }
author	mjg <mjg@FreeBSD.org>	2015-12-18 16:33:15 +0000
committer	mjg <mjg@FreeBSD.org>	2015-12-18 16:33:15 +0000
commit	e70da8e2e976b377d257e1b3b13de2941a7e4d60 (patch)
tree	e5617784c481aef03a1cc8e9f60f7fbd887db6ca /sys/kern/kern_proc.c
parent	de5d4c25ab779a6fb9ecc67a45b7d63d1fd4b36e (diff)
download	FreeBSD-src-e70da8e2e976b377d257e1b3b13de2941a7e4d60.zip FreeBSD-src-e70da8e2e976b377d257e1b3b13de2941a7e4d60.tar.gz