Diffusion FreeBSD src repository - subversion rS295233

fork: plug a use after free of the returned process
rS295233
Actions

Description

fork: plug a use after free of the returned process

fork1 required its callers to pass a pointer to struct proc * which would
be set to the new process (if any). procdesc and racct manipulation also
used said pointer.

However, the process could have exited prior to do_fork return and be
automatically reaped, thus making this a use-after-free.

Fix the problem by letting callers indicate whether they want the pid or
the struct proc, return the process in stopped state for the latter case.

Reviewed by: kib

Details

Provenance

mjg	Authored on

Reviewer

kib

Parents

rS295232: fork: pass arguments to fork1 in a dedicated structure

Branches

Unknown

Tags

Unknown

Event Timeline

mjg committed rS295233: fork: plug a use after free of the returned process.Feb 4 2016, 4:25 AM

Changes (4)

Path

Size

head/

sys/

compat/

cloudabi/

kern/

sys/

rS295233

View Options

head/sys/compat/cloudabi/cloudabi_proc.c

View Options

head/sys/kern/kern_fork.c

View Options

head/sys/kern/kern_racct.c

View Options

fork: plug a use after free of the returned processrS295233Actions

Description

Details

Event Timeline

Changes (4)

rS295233

head/sys/compat/cloudabi/cloudabi_proc.c

head/sys/kern/kern_fork.c

head/sys/kern/kern_racct.c

head/sys/sys/proc.h

fork: plug a use after free of the returned process
rS295233
Actions