svn commit: r292440 - in head/sys: kern sys

Fri, 18 Dec 2015 08:34:06 -0800 

Author: mjg
Date: Fri Dec 18 16:33:15 2015
New Revision: 292440
URL: https://svnweb.freebsd.org/changeset/base/292440

Log:
  proc: fix a race which could result in dereference of bad p_pgrp pointer on 
fork
  
  During fork p_starcopy - p_endcopy area of a process is populated with bcopy
  with only proc lock held. Another forking thread can find such a process and
  proceed to access p_pgrp included in said area.
  
  Fix the problem by moving the field outside. It is being properly assigned
  later.
  
  Reviewed by:  kib
  Diagnosed by: kib
  Tested by:    Fabian Keil <freebsd-listen fabiankeil.de>
  MFC after:    10 days

Modified:
  head/sys/kern/kern_proc.c
  head/sys/sys/proc.h

Modified: head/sys/kern/kern_proc.c
==============================================================================
--- head/sys/kern/kern_proc.c   Fri Dec 18 14:56:49 2015        (r292439)
+++ head/sys/kern/kern_proc.c   Fri Dec 18 16:33:15 2015        (r292440)
@@ -248,6 +248,7 @@ proc_init(void *mem, int size, int flags
        TAILQ_INIT(&p->p_threads);           /* all threads in proc */
        EVENTHANDLER_INVOKE(process_init, p);
        p->p_stats = pstats_alloc();
+       p->p_pgrp = NULL;
        SDT_PROBE3(proc, , init, return, p, size, flags);
        return (0);
 }

Modified: head/sys/sys/proc.h
==============================================================================
--- head/sys/sys/proc.h Fri Dec 18 14:56:49 2015        (r292439)
+++ head/sys/sys/proc.h Fri Dec 18 16:33:15 2015        (r292440)
@@ -586,7 +586,6 @@ struct proc {
        int             p_osrel;        /* (x) osreldate for the
                                               binary (from ELF note, if any) */
        char            p_comm[MAXCOMLEN + 1];  /* (b) Process name. */
-       struct pgrp     *p_pgrp;        /* (c + e) Pointer to process group. */
        struct sysentvec *p_sysent;     /* (b) Syscall dispatch info. */
        struct pargs    *p_args;        /* (c) Process arguments. */
        rlim_t          p_cpulimit;     /* (c) Current CPU limit in seconds. */
@@ -599,6 +598,7 @@ struct proc {
        u_int           p_xsig;         /* (c) Stop/kill sig. */
 /* End area that is copied on creation. */
 #define        p_endcopy       p_xsig
+       struct pgrp     *p_pgrp;        /* (c + e) Pointer to process group. */
        struct knlist   p_klist;        /* (c) Knotes attached to this proc. */
        int             p_numthreads;   /* (c) Number of threads. */
        struct mdproc   p_md;           /* Any machine-dependent fields. */
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to