Date: Wed, 20 May 2026 19:35:43 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 4b6a23eb8a7e - main - procdesc: Make sure to drain selinfo sleepers in procdesc_free() Message-ID: <6a0e0d0f.3840a.2b84911a@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=4b6a23eb8a7e4b137d9e1b527d1fa84c950484eb commit 4b6a23eb8a7e4b137d9e1b527d1fa84c950484eb Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-05-08 13:03:49 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-05-20 19:34:50 +0000 procdesc: Make sure to drain selinfo sleepers in procdesc_free() Otherwise they are left on a freed list after procdesc_free() is called. This can be exploited to elevate privileges. Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if no one ever called selrecord() on the file description, so I see no reason to complicate the code to avoid the call. Add some regression tests. Approved by: so Security: FreeBSD-SA-26:19.file Security: CVE-2026-45251 Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015 Reviewed by: kib, oshogbo Fixes: cfb5f7686588 ("Add experimental support for process descriptors") Differential Revision: https://reviews.freebsd.org/D56887 --- sys/kern/sys_procdesc.c | 10 ++---- sys/sys/procdesc.h | 1 - tests/sys/kern/Makefile | 1 + tests/sys/kern/procdesc.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++- 4 files changed, 89 insertions(+), 9 deletions(-) diff --git a/sys/kern/sys_procdesc.c b/sys/kern/sys_procdesc.c index ec3b37f96148..9360ec147f8a 100644 --- a/sys/kern/sys_procdesc.c +++ b/sys/kern/sys_procdesc.c @@ -274,6 +274,7 @@ procdesc_free(struct procdesc *pd) if (pd->pd_pid != -1) proc_id_clear(PROC_ID_PID, pd->pd_pid); + seldrain(&pd->pd_selinfo); knlist_destroy(&pd->pd_selinfo.si_note); PROCDESC_LOCK_DESTROY(pd); free(pd, M_PROCDESC); @@ -316,10 +317,7 @@ procdesc_exit(struct proc *p) procdesc_free(pd); return (1); } - if (pd->pd_flags & PDF_SELECTED) { - pd->pd_flags &= ~PDF_SELECTED; - selwakeup(&pd->pd_selinfo); - } + selwakeup(&pd->pd_selinfo); KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT); PROCDESC_UNLOCK(pd); @@ -438,10 +436,8 @@ procdesc_poll(struct file *fp, int events, struct ucred *active_cred, PROCDESC_LOCK(pd); if (pd->pd_flags & PDF_EXITED) revents |= POLLHUP; - if (revents == 0) { + else selrecord(td, &pd->pd_selinfo); - pd->pd_flags |= PDF_SELECTED; - } PROCDESC_UNLOCK(pd); return (revents); } diff --git a/sys/sys/procdesc.h b/sys/sys/procdesc.h index b477903f8053..a6be5dbe576c 100644 --- a/sys/sys/procdesc.h +++ b/sys/sys/procdesc.h @@ -86,7 +86,6 @@ struct procdesc { * Flags for the pd_flags field. */ #define PDF_CLOSED 0x00000001 /* Descriptor has closed. */ -#define PDF_SELECTED 0x00000002 /* Issue selwakeup(). */ #define PDF_EXITED 0x00000004 /* Process exited. */ #define PDF_DAEMON 0x00000008 /* Don't exit when procdesc closes. */ diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index a06e8702f16d..fb75720114ac 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -104,6 +104,7 @@ LIBADD.kcov+= pthread CFLAGS.ktls_test+= -DOPENSSL_API_COMPAT=0x10100000L LIBADD.ktls_test+= crypto util LIBADD.listener_wakeup+= pthread +LIBADD.procdesc+= pthread LIBADD.shutdown_dgram+= pthread LIBADD.socket_msg_waitall+= pthread LIBADD.socket_splice+= pthread diff --git a/tests/sys/kern/procdesc.c b/tests/sys/kern/procdesc.c index 3334ee404518..2d710ef057f2 100644 --- a/tests/sys/kern/procdesc.c +++ b/tests/sys/kern/procdesc.c @@ -2,6 +2,7 @@ * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) 2026 ConnectWise + * Copyright (c) 2026 Mark Johnston <markj@FreeBSD.org> * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -32,8 +33,12 @@ #include <sys/sysctl.h> #include <sys/wait.h> -#include <atf-c.h> +#include <poll.h> +#include <pthread.h> #include <stdio.h> +#include <unistd.h> + +#include <atf-c.h> /* Tests for procdesc(4) that aren't specific to any one syscall */ @@ -90,9 +95,88 @@ ATF_TC_BODY(pid_recycle, tc) close(pd); } +static void * +poll_procdesc(void *arg) +{ + struct pollfd pfd; + + pfd.fd = *(int *)arg; + pfd.events = POLLHUP; + (void)poll(&pfd, 1, 5000); + return ((void *)(uintptr_t)pfd.revents); +} + +/* + * Regression test to exercise the case where a procdesc is closed while a + * thread is poll()ing it. + */ +ATF_TC_WITHOUT_HEAD(poll_close_race); +ATF_TC_BODY(poll_close_race, tc) +{ + pthread_t thr; + pid_t pid; + uintptr_t revents; + int error, pd; + + pid = pdfork(&pd, PD_DAEMON); + ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno)); + if (pid == 0) { + pause(); + _exit(0); + } + + error = pthread_create(&thr, NULL, poll_procdesc, &pd); + ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); + + /* Wait for the thread to block in poll(2). */ + usleep(250000); + + ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno)); + + error = pthread_join(thr, (void *)&revents); + ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); + ATF_REQUIRE_EQ(revents, POLLNVAL); +} + +/* + * Verify that poll(2) of a procdesc returns POLLHUP when the process exits. + */ +ATF_TC_WITHOUT_HEAD(poll_exit_wakeup); +ATF_TC_BODY(poll_exit_wakeup, tc) +{ + pthread_t thr; + uintptr_t revents; + pid_t pid; + int error, pd; + + pid = pdfork(&pd, PD_DAEMON); + ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno)); + if (pid == 0) { + pause(); + _exit(0); + } + + error = pthread_create(&thr, NULL, poll_procdesc, &pd); + ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); + + /* Wait for the thread to block in poll(2). */ + usleep(250000); + + ATF_REQUIRE_MSG(pdkill(pd, SIGKILL) == 0, + "pdkill: %s", strerror(errno)); + + error = pthread_join(thr, (void *)&revents); + ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); + ATF_REQUIRE_EQ(revents, POLLHUP); + + ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno)); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, pid_recycle); + ATF_TP_ADD_TC(tp, poll_close_race); + ATF_TP_ADD_TC(tp, poll_exit_wakeup); return (atf_no_error()); }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0e0d0f.3840a.2b84911a>