]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5c56365) | patch
fork: fix use-after-free with vfork
authormjg <mjg@FreeBSD.org>
Thu, 22 Nov 2018 21:08:37 +0000 (21:08 +0000)
committermjg <mjg@FreeBSD.org>
Thu, 22 Nov 2018 21:08:37 +0000 (21:08 +0000)
commit75deef51a7fa4c43f49e7ea706639567deb09757
treee5e441228410cb193f15b69776428ea8089c1b15tree | snapshot
parent5c563658ea11858b1dcf2f4ea8c0282db86700fccommit | diff
fork: fix use-after-free with vfork

The pointer to the child is stored without any reference held. Then it is
blindly used to wait until P_PPWAIT is cleared. However, if the child is
autoreaped it could have exited and get freed before the parent started
waiting.

Use the existing hold mechanism to mitigate the problem. Most common case
of doing exec remains unchanged. The corner case of doing exit performs
wake up before waiting for holds to clear.

Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18295
sys/kern/kern_exit.c diff | blob | history
sys/kern/kern_fork.c diff | blob | history
sys/kern/subr_syscall.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.