From be6a1d148eb16552f9b6e57e76fb0add0d848c61 Mon Sep 17 00:00:00 2001 From: David Greenman Date: Wed, 28 Dec 1994 06:15:08 +0000 Subject: [PATCH] Fixed multiple bugs that cause null pointers to be followed or FREEed data to be accessed if a process blocks when it is being run down. --- sys/kern/kern_exit.c | 8 +++++-- sys/kern/kern_sysctl.c | 49 +++++++++++++++++++++--------------------- 2 files changed, 30 insertions(+), 27 deletions(-) diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 61eb9840c118..e3cee98fd8e1 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)kern_exit.c 8.7 (Berkeley) 2/12/94 - * $Id: kern_exit.c,v 1.11 1994/10/11 20:42:01 sos Exp $ + * $Id: kern_exit.c,v 1.12 1994/10/27 05:21:39 phk Exp $ */ #include @@ -264,8 +264,10 @@ done: * Other substructures are freed from wait(). */ curproc = NULL; - if (--p->p_limit->p_refcnt == 0) + if (--p->p_limit->p_refcnt == 0) { FREE(p->p_limit, M_SUBPROC); + p->p_limit = NULL; + } /* * Finally, call machine-dependent code to release the remaining @@ -404,6 +406,7 @@ loop: p->p_xstat = 0; ruadd(&q->p_stats->p_cru, p->p_ru); FREE(p->p_ru, M_ZOMBIE); + p->p_ru = NULL; /* * Decrement the count of procs running with this uid. @@ -416,6 +419,7 @@ loop: if (--p->p_cred->p_refcnt == 0) { crfree(p->p_cred->pc_ucred); FREE(p->p_cred, M_SUBPROC); + p->p_cred = NULL; } /* diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index 4dd24ce4f95c..c5f16f5025d4 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)kern_sysctl.c 8.4 (Berkeley) 4/14/94 - * $Id: kern_sysctl.c,v 1.19 1994/11/14 13:58:30 bde Exp $ + * $Id: kern_sysctl.c,v 1.20 1994/12/18 13:56:50 guido Exp $ */ /* @@ -637,24 +637,25 @@ again: case KERN_PROC_PGRP: /* could do this by traversing pgrp */ - if (p->p_pgrp->pg_id != (pid_t)name[1]) + if (p->p_pgrp == NULL || p->p_pgrp->pg_id != (pid_t)name[1]) continue; break; case KERN_PROC_TTY: if ((p->p_flag & P_CONTROLT) == 0 || + p->p_session == NULL || p->p_session->s_ttyp == NULL || p->p_session->s_ttyp->t_dev != (dev_t)name[1]) continue; break; case KERN_PROC_UID: - if (p->p_ucred->cr_uid != (uid_t)name[1]) + if (p->p_ucred == NULL || p->p_ucred->cr_uid != (uid_t)name[1]) continue; break; case KERN_PROC_RUID: - if (p->p_cred->p_ruid != (uid_t)name[1]) + if (p->p_ucred == NULL || p->p_cred->p_ruid != (uid_t)name[1]) continue; break; } @@ -699,19 +700,14 @@ fill_eproc(p, ep) { register struct tty *tp; + bzero(ep, sizeof(*ep)); + ep->e_paddr = p; - ep->e_sess = p->p_pgrp->pg_session; - ep->e_pcred = *p->p_cred; - ep->e_ucred = *p->p_ucred; - if (p->p_stat == SIDL || p->p_stat == SZOMB) { - ep->e_vm.vm_rssize = 0; - ep->e_vm.vm_tsize = 0; - ep->e_vm.vm_dsize = 0; - ep->e_vm.vm_ssize = 0; -#ifndef sparc - /* ep->e_vm.vm_pmap = XXX; */ -#endif - } else { + if (p->p_cred) + ep->e_pcred = *p->p_cred; + if (p->p_ucred) + ep->e_ucred = *p->p_ucred; + if (p->p_stat != SIDL && p->p_stat != SZOMB) { register struct vmspace *vm = p->p_vmspace; #ifdef pmap_resident_count @@ -728,24 +724,27 @@ fill_eproc(p, ep) } if (p->p_pptr) ep->e_ppid = p->p_pptr->p_pid; - else - ep->e_ppid = 0; - ep->e_pgid = p->p_pgrp->pg_id; - ep->e_jobc = p->p_pgrp->pg_jobc; + if (p->p_pgrp) { + ep->e_sess = p->p_pgrp->pg_session; + ep->e_pgid = p->p_pgrp->pg_id; + ep->e_jobc = p->p_pgrp->pg_jobc; + } if ((p->p_flag & P_CONTROLT) && - (tp = ep->e_sess->s_ttyp)) { + (ep->e_sess != NULL) && + ((tp = ep->e_sess->s_ttyp) != NULL)) { ep->e_tdev = tp->t_dev; ep->e_tpgid = tp->t_pgrp ? tp->t_pgrp->pg_id : NO_PID; ep->e_tsess = tp->t_session; } else ep->e_tdev = NODEV; - ep->e_flag = ep->e_sess->s_ttyvp ? EPROC_CTTY : 0; + if (ep->e_sess && ep->e_sess->s_ttyvp) + ep->e_flag = EPROC_CTTY; if (SESS_LEADER(p)) ep->e_flag |= EPROC_SLEADER; - if (p->p_wmesg) + if (p->p_wmesg) { strncpy(ep->e_wmesg, p->p_wmesg, WMESGLEN); - ep->e_xsize = ep->e_xrssize = 0; - ep->e_xccount = ep->e_xswrss = 0; + ep->e_wmesg[WMESGLEN] = 0; + } } #ifdef COMPAT_43