diff options
| author | mjg <mjg@FreeBSD.org> | 2016-01-07 12:08:15 +0000 |
|---|---|---|
| committer | mjg <mjg@FreeBSD.org> | 2016-01-07 12:08:15 +0000 |
| commit | 04e384140c6e1dd10e5ea85cd99766317ae122f3 (patch) | |
| tree | 1f78838f5f13799f28a5a7f35d1e497d4fd8b9d0 /sys/sys | |
| parent | 513e9b690f5bb0abdec4b77b4ab0de8385608740 (diff) | |
| download | FreeBSD-src-04e384140c6e1dd10e5ea85cd99766317ae122f3.zip FreeBSD-src-04e384140c6e1dd10e5ea85cd99766317ae122f3.tar.gz | |
MFC r292440:
proc: fix a race which could result in dereference of bad p_pgrp pointer on
fork
During fork p_starcopy - p_endcopy area of a process is populated with bcopy
with only proc lock held. Another forking thread can find such a process and
proceed to access p_pgrp included in said area.
Fix the problem by moving the field outside. It is being properly assigned
later.
Diffstat (limited to 'sys/sys')
| -rw-r--r-- | sys/sys/proc.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 3b188ca..5b441bc 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -558,7 +558,7 @@ struct proc { int p_osrel; /* (x) osreldate for the binary (from ELF note, if any) */ char p_comm[MAXCOMLEN + 1]; /* (b) Process name. */ - struct pgrp *p_pgrp; /* (c + e) Pointer to process group. */ + void *p_pad0; struct sysentvec *p_sysent; /* (b) Syscall dispatch info. */ struct pargs *p_args; /* (c) Process arguments. */ rlim_t p_cpulimit; /* (c) Current CPU limit in seconds. */ @@ -604,6 +604,7 @@ struct proc { pid_t p_reapsubtree; /* (e) Pid of the direct child of the reaper which spawned our subtree. */ + struct pgrp *p_pgrp; /* (c + e) Pointer to process group. */ }; #define p_session p_pgrp->pg_session |
