Date: Tue, 10 Jul 2001 18:59:57 -0700 From: Dima Dorfman <dima@unixfreak.org> To: Jason DiCioccio <jdicioccio@epylon.com> Cc: "'security@freebsd.org'" <security@freebsd.org>, kris@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: Message-ID: <20010711015958.0921D3E28@bazooka.unixfreak.org> In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA02FFEFA1@goofy.epylon.lan>; from jdicioccio@epylon.com on "Tue, 10 Jul 2001 09:27:27 -0700"
next in thread | previous in thread | raw e-mail | index | archive | help
Jason DiCioccio <jdicioccio@epylon.com> writes:
> So then I'm guessing this has been 3.5-STABLE is not vulnerable?
> Just want to be sure :-)
What makes you say that? The necessary fix isn't present in RELENG_3,
and I doubt that there's something else which hides the issue. I've
attached a patch for RELENG_3 that merges the fix. Kris, any reason
this shouldn't be applied?
Dima Dorfman
dima@unixfreak.org
Index: kern_exec.c
===================================================================
RCS file: /stl/src/FreeBSD/src/sys/kern/kern_exec.c,v
retrieving revision 1.93.2.5
diff -u -r1.93.2.5 kern_exec.c
--- kern_exec.c 2001/06/16 23:41:58 1.93.2.5
+++ kern_exec.c 2001/07/11 01:58:17
@@ -39,9 +39,9 @@
#include <sys/imgact.h>
#include <sys/imgact_elf.h>
#include <sys/wait.h>
+#include <sys/malloc.h>
#include <sys/proc.h>
#include <sys/pioctl.h>
-#include <sys/malloc.h>
#include <sys/namei.h>
#include <sys/sysent.h>
#include <sys/shm.h>
@@ -56,6 +56,7 @@
#include <vm/pmap.h>
#include <vm/vm_page.h>
#include <vm/vm_map.h>
+#include <sys/user.h>
#include <vm/vm_kern.h>
#include <vm/vm_extern.h>
#include <vm/vm_object.h>
@@ -229,6 +230,27 @@
p->p_fd = tmp;
}
+ /*
+ * For security and other reasons, signal handlers cannot
+ * be shared after an exec. The new proces gets a copy of the old
+ * handlers. In execsigs(), the new process wll have its signals
+ * reset.
+ */
+ if (p->p_procsig->ps_refcnt > 1) {
+ struct procsig *newprocsig;
+
+ MALLOC(newprocsig, struct procsig *, sizeof(struct procsig),
+ M_SUBPROC, M_WAITOK);
+ bcopy(p->p_procsig, newprocsig, sizeof(*newprocsig));
+ p->p_procsig->ps_refcnt--;
+ p->p_procsig = newprocsig;
+ p->p_procsig->ps_refcnt = 1;
+ if (p->p_sigacts == &p->p_addr->u_sigacts)
+ panic("shared procsig but private sigacts?\n");
+
+ p->p_addr->u_sigacts = *p->p_sigacts;
+ p->p_sigacts = &p->p_addr->u_sigacts;
+ }
/* Stop profiling */
stopprofclock(p);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010711015958.0921D3E28>