From e70da8e2e976b377d257e1b3b13de2941a7e4d60 Mon Sep 17 00:00:00 2001
From: mjg <mjg@FreeBSD.org>
Date: Fri, 18 Dec 2015 16:33:15 +0000
Subject: proc: fix a race which could result in dereference of bad p_pgrp
 pointer on fork

During fork p_starcopy - p_endcopy area of a process is populated with bcopy
with only proc lock held. Another forking thread can find such a process and
proceed to access p_pgrp included in said area.

Fix the problem by moving the field outside. It is being properly assigned
later.

Reviewed by:	kib
Diagnosed by:	kib
Tested by:	Fabian Keil <freebsd-listen fabiankeil.de>
MFC after:	10 days
---
 sys/kern/kern_proc.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'sys/kern/kern_proc.c')

diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
index 8a3b6ca..bbedd9b 100644
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -248,6 +248,7 @@ proc_init(void *mem, int size, int flags)
 	TAILQ_INIT(&p->p_threads);	     /* all threads in proc */
 	EVENTHANDLER_INVOKE(process_init, p);
 	p->p_stats = pstats_alloc();
+	p->p_pgrp = NULL;
 	SDT_PROBE3(proc, , init, return, p, size, flags);
 	return (0);
 }
-- 
cgit v1.1