From 53ffed1b78558babaab0c95a09fad8bcead957d6 Mon Sep 17 00:00:00 2001
From: pgoyette <pgoyette@NetBSD.org>
Date: Fri, 20 Nov 2015 02:58:19 +0000
Subject: [PATCH] Ensure that the PID specified in the FILEMON_SET_PID ioctl()
 call belongs to the caller or one of its descendants.

---
 sys/dev/filemon/filemon.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/sys/dev/filemon/filemon.c b/sys/dev/filemon/filemon.c
index d9db15c5ff50..64c21db9d1f8 100644
--- a/sys/dev/filemon/filemon.c
+++ b/sys/dev/filemon/filemon.c
@@ -24,7 +24,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: filemon.c,v 1.14 2015/11/20 01:33:59 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: filemon.c,v 1.15 2015/11/20 02:58:19 pgoyette Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -278,7 +278,7 @@ filemon_ioctl(struct file * fp, u_long cmd, void *data)
 {
 	int error = 0;
 	struct filemon *filemon;
-	struct proc *tp;
+	struct proc *tp, *lp, *p;
 
 #ifdef DEBUG
 	log(logLevel, "filemon_ioctl(%lu)", cmd);;
@@ -313,6 +313,26 @@ filemon_ioctl(struct file * fp, u_long cmd, void *data)
 			error = ESRCH;
 			break;
 		}
+
+		/* Ensure that target proc is a descendant of curproc */
+		p = tp;
+		while (p) {
+			/*
+			 * make sure p cannot exit
+			 * until we have moved on to p_pptr
+			 */
+			rw_enter(&p->p_reflock, RW_READER);
+			if (p == curproc) {
+				rw_exit(&p->p_reflock);
+				break;
+			}
+			lp = p;
+			p = p->p_pptr;
+			rw_exit(&lp->p_reflock);
+		}
+		if (p == NULL)
+			return EPERM;
+
 		error = kauth_authorize_process(curproc->p_cred,
 		    KAUTH_PROCESS_CANSEE, tp,
 		    KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_ENTRY), NULL, NULL);