diff options
| author | Mateusz Guzik <mjg@FreeBSD.org> | 2016-02-04 04:25:30 +0000 |
|---|---|---|
| committer | Mateusz Guzik <mjg@FreeBSD.org> | 2016-02-04 04:25:30 +0000 |
| commit | 813361c1408da9b82d0aeef5f6e7bb74b0eedfae (patch) | |
| tree | c686ed14c8e52be9896ce018a772bf3892a7e099 /sys/sys/proc.h | |
| parent | 33fd9b9a2bc277248b3dc153e1352e2b021d4fb1 (diff) | |
| download | src-813361c1408da9b82d0aeef5f6e7bb74b0eedfae.tar.gz src-813361c1408da9b82d0aeef5f6e7bb74b0eedfae.zip | |
fork: plug a use after free of the returned process
fork1 required its callers to pass a pointer to struct proc * which would
be set to the new process (if any). procdesc and racct manipulation also
used said pointer.
However, the process could have exited prior to do_fork return and be
automatically reaped, thus making this a use-after-free.
Fix the problem by letting callers indicate whether they want the pid or
the struct proc, return the process in stopped state for the latter case.
Reviewed by: kib
Notes
Notes:
svn path=/head/; revision=295233
Diffstat (limited to 'sys/sys/proc.h')
| -rw-r--r-- | sys/sys/proc.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/sys/proc.h b/sys/sys/proc.h index ac96566510ce..039fd394d34a 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -910,6 +910,7 @@ struct proc *zpfind(pid_t); /* Find zombie process by id. */ struct fork_req { int fr_flags; int fr_pages; + int *fr_pidp; struct proc **fr_procp; int *fr_pd_fd; int fr_pd_flags; |