proc: fix a race which could result in dereference of bad p_pgrp pointer on fork
During fork p_starcopy - p_endcopy area of a process is populated with bcopy with only proc lock held. Another forking thread can find such a process and proceed to access p_pgrp included in said area. Fix the problem by moving the field outside. It is being properly assigned later. Reviewed by: kib Diagnosed by: kib Tested by: Fabian Keil <freebsd-listen fabiankeil.de> MFC after: 10 days
This commit is contained in:
parent
8c6d1d4b90
commit
aa0241d623
@ -248,6 +248,7 @@ proc_init(void *mem, int size, int flags)
|
||||
TAILQ_INIT(&p->p_threads); /* all threads in proc */
|
||||
EVENTHANDLER_INVOKE(process_init, p);
|
||||
p->p_stats = pstats_alloc();
|
||||
p->p_pgrp = NULL;
|
||||
SDT_PROBE3(proc, , init, return, p, size, flags);
|
||||
return (0);
|
||||
}
|
||||
|
@ -586,7 +586,6 @@ struct proc {
|
||||
int p_osrel; /* (x) osreldate for the
|
||||
binary (from ELF note, if any) */
|
||||
char p_comm[MAXCOMLEN + 1]; /* (b) Process name. */
|
||||
struct pgrp *p_pgrp; /* (c + e) Pointer to process group. */
|
||||
struct sysentvec *p_sysent; /* (b) Syscall dispatch info. */
|
||||
struct pargs *p_args; /* (c) Process arguments. */
|
||||
rlim_t p_cpulimit; /* (c) Current CPU limit in seconds. */
|
||||
@ -599,6 +598,7 @@ struct proc {
|
||||
u_int p_xsig; /* (c) Stop/kill sig. */
|
||||
/* End area that is copied on creation. */
|
||||
#define p_endcopy p_xsig
|
||||
struct pgrp *p_pgrp; /* (c + e) Pointer to process group. */
|
||||
struct knlist p_klist; /* (c) Knotes attached to this proc. */
|
||||
int p_numthreads; /* (c) Number of threads. */
|
||||
struct mdproc p_md; /* Any machine-dependent fields. */
|
||||
|
Loading…
Reference in New Issue
Block a user