]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 79db6fe) | patch
fork: fix use-after-free with vfork
authorMateusz Guzik <mjg@FreeBSD.org>
Thu, 22 Nov 2018 21:08:37 +0000 (21:08 +0000)
committerMateusz Guzik <mjg@FreeBSD.org>
Thu, 22 Nov 2018 21:08:37 +0000 (21:08 +0000)
commitb00b27e925f0f0c21802159dadf41af02e09ae24
treee5e441228410cb193f15b69776428ea8089c1b15tree | snapshot
parent79db6fe7aa5e7bb735eb1566f55edce75615c720commit | diff
fork: fix use-after-free with vfork

The pointer to the child is stored without any reference held. Then it is
blindly used to wait until P_PPWAIT is cleared. However, if the child is
autoreaped it could have exited and get freed before the parent started
waiting.

Use the existing hold mechanism to mitigate the problem. Most common case
of doing exec remains unchanged. The corner case of doing exit performs
wake up before waiting for holds to clear.

Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18295
sys/kern/kern_exit.c diff | blob | history
sys/kern/kern_fork.c diff | blob | history
sys/kern/subr_syscall.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.