Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 3 Aug 1997 11:21:38 -0700
From:      Sean Eric Fagan <sef@Kithrup.COM>
To:        security@freebsd.org
Subject:   Proposed alternate patch for the rfork vulnerability
Message-ID:  <199708031821.LAA18374@kithrup.com>

next in thread | raw e-mail | index | archive | help
I haven't looked at the rfork code extensively... I should.  However,
something similar to the following should be done for every shared resource
that might be inhereted across a fork. (However, what are those?  Looking at
/sys/sys/unistd.h, it doesn't look like we actually implement anything other
than shared VM  [which is hosed across an exec anyway], no wait on child
[which isn't relevent to this], and the fd table copying and zeroing... and
that's what comes into play across an exec...  So maybe this is all that
should be necessary.)

I haven't extensively tested this; I ran the included program, and I am
currently up multiuser with my patched kernel.

*** kern_exec.c.~1~	Sat Nov  9 02:42:28 1996
--- kern_exec.c	Sun Aug  3 11:14:06 1997
***************
*** 325,330 ****
--- 325,338 ----
  	vrele(ndp->ni_vp);
  	FREE(ndp->ni_cnd.cn_pnbuf, M_NAMEI);
  
+ 	if (p->p_fd->fd_refcnt > 1) {
+ 		struct filedesc *tmp;
+ 
+ 		tmp = fdcopy(p);
+ 		fdfree(p);
+ 		p->p_fd = tmp;
+ 	}
+ 
  	return (0);
  
  exec_fail_dealloc:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708031821.LAA18374>