[PATCH 0/2] plug fork use-after-free
Mateusz Guzik
mjguzik at gmail.com
Mon Feb 1 05:13:08 UTC 2016
From: Mateusz Guzik <mjg at freebsd.org>
Quit some time ago I reported a problem with fork and provided a half-assed
patch, see:
https://lists.freebsd.org/pipermail/freebsd-hackers/2014-October/046212.html
Now I got around to fixing the problem in a less hackish manner.
Note that despite the new process possibly immediatley exiting and being
waited on, returning its (possibly now reused PID) is fine - that's the
pid it possibly saw by other means and in worst case the process is racing
with itself.
To reiterate, as it is, the code has use-after-free in procdesc and racct
handling.
The first patch is a small cleanup to reduce the number of arguments to
fork1, which was getting out of hand. I don't feel strongly about the
name of the structure used in there.
Mateusz Guzik (2):
fork: move procdesc-related parameters into a dedicated struct
fork: plug a use after free of the returned process pointer
sys/compat/cloudabi/cloudabi_proc.c | 11 ++--
sys/compat/linux/linux_fork.c | 6 +-
sys/kern/init_main.c | 2 +-
sys/kern/kern_fork.c | 125 ++++++++++++++++++++----------------
sys/kern/kern_kthread.c | 2 +-
sys/sys/proc.h | 5 +-
sys/sys/procdesc.h | 6 ++
7 files changed, 91 insertions(+), 66 deletions(-)
--
2.7.0
More information about the freebsd-hackers
mailing list