From owner-svn-src-head@FreeBSD.ORG Sat Mar 21 20:24:04 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9FA7C6D5; Sat, 21 Mar 2015 20:24:04 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 71D6374C; Sat, 21 Mar 2015 20:24:04 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2LKO4uN011280; Sat, 21 Mar 2015 20:24:04 GMT (envelope-from mjg@FreeBSD.org) Received: (from mjg@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2LKO4ZC011279; Sat, 21 Mar 2015 20:24:04 GMT (envelope-from mjg@FreeBSD.org) Message-Id: <201503212024.t2LKO4ZC011279@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mjg set sender to mjg@FreeBSD.org using -f From: Mateusz Guzik Date: Sat, 21 Mar 2015 20:24:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r280330 - head/sys/kern X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2015 20:24:04 -0000 Author: mjg Date: Sat Mar 21 20:24:03 2015 New Revision: 280330 URL: https://svnweb.freebsd.org/changeset/base/280330 Log: fork: assign refed credentials earlier Prior to this change the kernel would take p1's credentials and assign them tempororarily to p2. But p1 could change credentials at that time and in effect give us a use-after-free. No objections from: kib Modified: head/sys/kern/kern_fork.c Modified: head/sys/kern/kern_fork.c ============================================================================== --- head/sys/kern/kern_fork.c Sat Mar 21 19:20:15 2015 (r280329) +++ head/sys/kern/kern_fork.c Sat Mar 21 20:24:03 2015 (r280330) @@ -410,9 +410,6 @@ do_fork(struct thread *td, int flags, st bzero(&p2->p_startzero, __rangeof(struct proc, p_startzero, p_endzero)); - crhold(td->td_ucred); - proc_set_cred(p2, td->td_ucred); - /* Tell the prison that we exist. */ prison_proc_hold(p2->p_ucred->cr_prison); @@ -832,7 +829,7 @@ fork1(struct thread *td, int flags, int td2 = thread_alloc(pages); if (td2 == NULL) { error = ENOMEM; - goto fail1; + goto fail2; } proc_linkup(newproc, td2); } else { @@ -841,7 +838,7 @@ fork1(struct thread *td, int flags, int vm_thread_dispose(td2); if (!thread_alloc_stack(td2, pages)) { error = ENOMEM; - goto fail1; + goto fail2; } } } @@ -850,7 +847,7 @@ fork1(struct thread *td, int flags, int vm2 = vmspace_fork(p1->p_vmspace, &mem_charged); if (vm2 == NULL) { error = ENOMEM; - goto fail1; + goto fail2; } if (!swap_reserve(mem_charged)) { /* @@ -861,7 +858,7 @@ fork1(struct thread *td, int flags, int */ swap_reserve_force(mem_charged); error = ENOMEM; - goto fail1; + goto fail2; } } else vm2 = NULL; @@ -870,7 +867,7 @@ fork1(struct thread *td, int flags, int * XXX: This is ugly; when we copy resource usage, we need to bump * per-cred resource counters. */ - proc_set_cred(newproc, p1->p_ucred); + proc_set_cred(newproc, crhold(td->td_ucred)); /* * Initialize resource accounting for the child process. @@ -946,6 +943,8 @@ fail: #endif racct_proc_exit(newproc); fail1: + crfree(proc_set_cred(newproc, NULL)); +fail2: if (vm2 != NULL) vmspace_free(vm2); uma_zfree(proc_zone, newproc);