svn commit: r292440 - in head/sys: kern sys

Mateusz Guzik mjg at FreeBSD.org
Fri Dec 18 16:33:17 UTC 2015 

Author: mjg
Date: Fri Dec 18 16:33:15 2015
New Revision: 292440
URL: https://svnweb.freebsd.org/changeset/base/292440

Log:
  proc: fix a race which could result in dereference of bad p_pgrp pointer on fork
  
  During fork p_starcopy - p_endcopy area of a process is populated with bcopy
  with only proc lock held. Another forking thread can find such a process and
  proceed to access p_pgrp included in said area.
  
  Fix the problem by moving the field outside. It is being properly assigned
  later.
  
  Reviewed by:	kib
  Diagnosed by:	kib
  Tested by:	Fabian Keil <freebsd-listen fabiankeil.de>
  MFC after:	10 days

Modified:
  head/sys/kern/kern_proc.c
  head/sys/sys/proc.h

Modified: head/sys/kern/kern_proc.c
==============================================================================
--- head/sys/kern/kern_proc.c	Fri Dec 18 14:56:49 2015	(r292439)
+++ head/sys/kern/kern_proc.c	Fri Dec 18 16:33:15 2015	(r292440)
@@ -248,6 +248,7 @@ proc_init(void *mem, int size, int flags
 	TAILQ_INIT(&p->p_threads);	     /* all threads in proc */
 	EVENTHANDLER_INVOKE(process_init, p);
 	p->p_stats = pstats_alloc();
+	p->p_pgrp = NULL;
 	SDT_PROBE3(proc, , init, return, p, size, flags);
 	return (0);
 }

Modified: head/sys/sys/proc.h
==============================================================================
--- head/sys/sys/proc.h	Fri Dec 18 14:56:49 2015	(r292439)
+++ head/sys/sys/proc.h	Fri Dec 18 16:33:15 2015	(r292440)
@@ -586,7 +586,6 @@ struct proc {
 	int		p_osrel;	/* (x) osreldate for the
 					       binary (from ELF note, if any) */
 	char		p_comm[MAXCOMLEN + 1];	/* (b) Process name. */
-	struct pgrp	*p_pgrp;	/* (c + e) Pointer to process group. */
 	struct sysentvec *p_sysent;	/* (b) Syscall dispatch info. */
 	struct pargs	*p_args;	/* (c) Process arguments. */
 	rlim_t		p_cpulimit;	/* (c) Current CPU limit in seconds. */
@@ -599,6 +598,7 @@ struct proc {
 	u_int		p_xsig;		/* (c) Stop/kill sig. */
 /* End area that is copied on creation. */
 #define	p_endcopy	p_xsig
+	struct pgrp	*p_pgrp;	/* (c + e) Pointer to process group. */
 	struct knlist	p_klist;	/* (c) Knotes attached to this proc. */
 	int		p_numthreads;	/* (c) Number of threads. */
 	struct mdproc	p_md;		/* Any machine-dependent fields. */

More information about the svn-src-head mailing list