Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Dec 2001 23:57:11 -0600
From:      Alfred Perlstein <alfred@freebsd.org>
To:        Tor.Egge@cvsup.no.freebsd.org
Cc:        security@freebsd.org, alc@freebsd.org, dillon@freebsd.org
Subject:   Re: (forw) Re: AIO vulnerability (from bugtraq)
Message-ID:  <20011228235711.A16101@elvis.mu.org>
In-Reply-To: <20011211180713J.tegge@cvsup.no.freebsd.org>; from Tor.Egge@cvsup.no.freebsd.org on Tue, Dec 11, 2001 at 06:07:13PM %2B0000
References:  <20011210132621.E92148@elvis.mu.org> <20011211180713J.tegge@cvsup.no.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

* Tor.Egge@cvsup.no.freebsd.org <Tor.Egge@cvsup.no.freebsd.org> [011211 12:07] wrote:
> > Can you look at this?
> 
> All pending aio requests must be drained before mapping the new
> vmspace.  An untested suggested pach is enclosed.
> 
> - Tor Egge

This looks a bit early and could result in aio_proc_rundown()
being called but returning ENOEXEC to the caller.

I think it's safe to move it down a bit as it seems the interpreter
is responsible for only setting up the imgp such that kern_exec.c
can finish the job.  Wouldn't you say it's probably safe to try
this instead?

I'm aiming for a generic at_exec(9) functionality so I could really
use a couple of extra eyes here to make sure this is safe and proper
so that other subsystems can use it.


Index: kern_exec.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.146
diff -1 -0 -u -r1.146 kern_exec.c
--- kern_exec.c	10 Dec 2001 05:40:12 -0000	1.146
+++ kern_exec.c	29 Dec 2001 06:00:14 -0000
@@ -253,20 +253,22 @@
 	/*
 	 * If custom stack fixup routine present for this process
 	 * let it do the stack setup.
 	 * Else stuff argument count as first item on stack
 	 */
 	if (p->p_sysent->sv_fixup)
 		(*p->p_sysent->sv_fixup)(&stack_base, imgp);
 	else
 		suword(--stack_base, imgp->argc);
 
+	aio_proc_rundown(p);
+
 	/*
 	 * For security and other reasons, the file descriptor table cannot
 	 * be shared after an exec.
 	 */
 	if (p->p_fd->fd_refcnt > 1) {
 		struct filedesc *tmp;
 
 		tmp = fdcopy(td);
 		fdfree(td);
 		p->p_fd = tmp;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011228235711.A16101>