Date: Mon, 1 Feb 2016 06:13:02 +0100 From: Mateusz Guzik <mjguzik@gmail.com> To: freebsd-hackers@freebsd.org Cc: kib@freebsd.org, Mateusz Guzik <mjg@freebsd.org> Subject: [PATCH 0/2] plug fork use-after-free Message-ID: <1454303584-20941-1-git-send-email-mjguzik@gmail.com>
next in thread | raw e-mail | index | archive | help
From: Mateusz Guzik <mjg@freebsd.org> Quit some time ago I reported a problem with fork and provided a half-assed patch, see: https://lists.freebsd.org/pipermail/freebsd-hackers/2014-October/046212.html Now I got around to fixing the problem in a less hackish manner. Note that despite the new process possibly immediatley exiting and being waited on, returning its (possibly now reused PID) is fine - that's the pid it possibly saw by other means and in worst case the process is racing with itself. To reiterate, as it is, the code has use-after-free in procdesc and racct handling. The first patch is a small cleanup to reduce the number of arguments to fork1, which was getting out of hand. I don't feel strongly about the name of the structure used in there. Mateusz Guzik (2): fork: move procdesc-related parameters into a dedicated struct fork: plug a use after free of the returned process pointer sys/compat/cloudabi/cloudabi_proc.c | 11 ++-- sys/compat/linux/linux_fork.c | 6 +- sys/kern/init_main.c | 2 +- sys/kern/kern_fork.c | 125 ++++++++++++++++++++---------------- sys/kern/kern_kthread.c | 2 +- sys/sys/proc.h | 5 +- sys/sys/procdesc.h | 6 ++ 7 files changed, 91 insertions(+), 66 deletions(-) -- 2.7.0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1454303584-20941-1-git-send-email-mjguzik>