From owner-freebsd-security  Tue Jul 10 19: 0: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP
	id C243D37B403; Tue, 10 Jul 2001 19:00:02 -0700 (PDT)
	(envelope-from dima@unixfreak.org)
Received: from hornet.unixfreak.org (hornet [63.198.170.140])
	by bazooka.unixfreak.org (Postfix) with ESMTP
	id 0921D3E28; Tue, 10 Jul 2001 18:59:58 -0700 (PDT)
To: Jason DiCioccio <jdicioccio@epylon.com>
Cc: "'security@freebsd.org'" <security@freebsd.org>, kris@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: 
In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA02FFEFA1@goofy.epylon.lan>; from jdicioccio@epylon.com on "Tue, 10 Jul 2001 09:27:27 -0700"
Date: Tue, 10 Jul 2001 18:59:57 -0700
From: Dima Dorfman <dima@unixfreak.org>
Message-Id: <20010711015958.0921D3E28@bazooka.unixfreak.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Jason DiCioccio <jdicioccio@epylon.com> writes:
> So then I'm guessing this has been 3.5-STABLE is not vulnerable? 
> Just want to be sure :-)

What makes you say that?  The necessary fix isn't present in RELENG_3,
and I doubt that there's something else which hides the issue.  I've
attached a patch for RELENG_3 that merges the fix.  Kris, any reason
this shouldn't be applied?

					Dima Dorfman
					dima@unixfreak.org


Index: kern_exec.c
===================================================================
RCS file: /stl/src/FreeBSD/src/sys/kern/kern_exec.c,v
retrieving revision 1.93.2.5
diff -u -r1.93.2.5 kern_exec.c
--- kern_exec.c	2001/06/16 23:41:58	1.93.2.5
+++ kern_exec.c	2001/07/11 01:58:17
@@ -39,9 +39,9 @@
 #include <sys/imgact.h>
 #include <sys/imgact_elf.h>
 #include <sys/wait.h>
+#include <sys/malloc.h>
 #include <sys/proc.h>
 #include <sys/pioctl.h>
-#include <sys/malloc.h>
 #include <sys/namei.h>
 #include <sys/sysent.h>
 #include <sys/shm.h>
@@ -56,6 +56,7 @@
 #include <vm/pmap.h>
 #include <vm/vm_page.h>
 #include <vm/vm_map.h>
+#include <sys/user.h>
 #include <vm/vm_kern.h>
 #include <vm/vm_extern.h>
 #include <vm/vm_object.h>
@@ -229,6 +230,27 @@
 		p->p_fd = tmp;
 	}
 
+	/*
+	 * For security and other reasons, signal handlers cannot
+	 * be shared after an exec. The new proces gets a copy of the old
+	 * handlers. In execsigs(), the new process wll have its signals
+	 * reset.
+	 */
+	if (p->p_procsig->ps_refcnt > 1) {
+		struct procsig *newprocsig;
+
+		MALLOC(newprocsig, struct procsig *, sizeof(struct procsig),
+		       M_SUBPROC, M_WAITOK);
+		bcopy(p->p_procsig, newprocsig, sizeof(*newprocsig));
+		p->p_procsig->ps_refcnt--;
+		p->p_procsig = newprocsig;
+		p->p_procsig->ps_refcnt = 1;
+		if (p->p_sigacts == &p->p_addr->u_sigacts)
+			panic("shared procsig but private sigacts?\n");
+
+		p->p_addr->u_sigacts = *p->p_sigacts;
+		p->p_sigacts = &p->p_addr->u_sigacts;
+	}
 	/* Stop profiling */
 	stopprofclock(p);
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message