Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Jan 2016 12:08:15 +0000 (UTC)
From:      Mateusz Guzik <mjg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r293314 - in stable/10/sys: kern sys
Message-ID:  <201601071208.u07C8FUZ076869@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: mjg
Date: Thu Jan  7 12:08:15 2016
New Revision: 293314
URL: https://svnweb.freebsd.org/changeset/base/293314

Log:
  MFC r292440:
  
  proc: fix a race which could result in dereference of bad p_pgrp pointer on
  fork
  
  During fork p_starcopy - p_endcopy area of a process is populated with bcopy
  with only proc lock held. Another forking thread can find such a process and
  proceed to access p_pgrp included in said area.
  
  Fix the problem by moving the field outside. It is being properly assigned
  later.

Modified:
  stable/10/sys/kern/kern_proc.c
  stable/10/sys/sys/proc.h

Modified: stable/10/sys/kern/kern_proc.c
==============================================================================
--- stable/10/sys/kern/kern_proc.c	Thu Jan  7 11:54:20 2016	(r293313)
+++ stable/10/sys/kern/kern_proc.c	Thu Jan  7 12:08:15 2016	(r293314)
@@ -234,6 +234,7 @@ proc_init(void *mem, int size, int flags
 	TAILQ_INIT(&p->p_threads);	     /* all threads in proc */
 	EVENTHANDLER_INVOKE(process_init, p);
 	p->p_stats = pstats_alloc();
+	p->p_pgrp = NULL;
 	SDT_PROBE3(proc, kernel, init, return, p, size, flags);
 	return (0);
 }

Modified: stable/10/sys/sys/proc.h
==============================================================================
--- stable/10/sys/sys/proc.h	Thu Jan  7 11:54:20 2016	(r293313)
+++ stable/10/sys/sys/proc.h	Thu Jan  7 12:08:15 2016	(r293314)
@@ -558,7 +558,7 @@ struct proc {
 	int		p_osrel;	/* (x) osreldate for the
 					       binary (from ELF note, if any) */
 	char		p_comm[MAXCOMLEN + 1];	/* (b) Process name. */
-	struct pgrp	*p_pgrp;	/* (c + e) Pointer to process group. */
+	void		*p_pad0;
 	struct sysentvec *p_sysent;	/* (b) Syscall dispatch info. */
 	struct pargs	*p_args;	/* (c) Process arguments. */
 	rlim_t		p_cpulimit;	/* (c) Current CPU limit in seconds. */
@@ -604,6 +604,7 @@ struct proc {
 	pid_t		p_reapsubtree;	/* (e) Pid of the direct child of the
 					       reaper which spawned
 					       our subtree. */
+	struct pgrp	*p_pgrp;	/* (c + e) Pointer to process group. */
 };
 
 #define	p_session	p_pgrp->pg_session

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601071208.u07C8FUZ076869>