Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NetBSD/sys/kern
History
kamil 6aa1291e37 Correct use-after-free issue in vfork(2) 
In the previous behavior vforking parent was keeping pointer to a child
and checking whether it clears a PL_PPWAIT in its bitfield p_lflag. However
a child can go invalid between exec/exit event from child and waking up
vforked parent and this can cause invalid pointer read and in the worst
scenario kernel crash.

In the new behavior vforked child keeps a reference to vforked parent LWP
and sets a value l_vforkwaiting to false. This means that vforked child
can finish its work, exec/exit and be terminated and once parent will be
woken up it will read its own field whether its child is still blocking.

Add new field in struct lwp: l_vforkwaiting protected by proc_lock.
In future it should be refactored and all PL_PPWAIT users transformed to
l_vforkwaiting and next l_vforkwaiting probably transformed into a bit
field.

This is another attempt of fixing this bug after <rmind> from 2012 in
commit:

Author: rmind <rmind@NetBSD.org>
Date:   Sun Jul 22 22:40:18 2012 +0000

    fork1: fix use-after-free problems.  Addresses PR/46128 from Andrew Doran.
    Note: PL_PPWAIT should be fully replaced and modificaiton of l_pflag by
    other LWP is undesirable, but this is enough for netbsd-6.

The new version no longer performs unsafe access in l_lflag changing the
LP_VFORKWAIT bit.

Verified with ATF t_vfork and t_ptrace* tests and they are no longer
causing any issues in my local setup.

Fixes PR/46128 by Andrew Doran
 		2019-06-13 20:20:18 +00:00
..
Make.tags.inc
Makefile
bufq_disksort.c Use consistently "bufq_private(bufq)" instead of "bufq->bq_private" 2017-05-04 11:03:27 +00:00
bufq_fcfs.c Use consistently "bufq_private(bufq)" instead of "bufq->bq_private" 2017-05-04 11:03:27 +00:00
bufq_priocscan.c Use consistently "bufq_private(bufq)" instead of "bufq->bq_private" 2017-05-04 11:03:27 +00:00
bufq_readprio.c Use consistently "bufq_private(bufq)" instead of "bufq->bq_private" 2017-05-04 11:03:27 +00:00
cnmagic.c Correct typo in the comment 2017-05-04 11:01:16 +00:00
compat_stub.c The max subtype of the ifmedia word is 31. It's too small for Ethernet now. 2019-05-17 07:37:11 +00:00
core_elf32.c Fix code generation for programs with a faulty process map 2019-01-22 03:44:44 +00:00
core_elf64.c
core_netbsd.c Introduce new ptrace(2) interface: PT_SET_SIGINFO and PT_GET_SIGINFO 2017-01-06 22:53:17 +00:00
exec_aout.c
exec_ecoff.c
exec_elf.c deduplicate the elf auxv builder code, welcome to 8.99.43 2019-06-07 23:35:52 +00:00
exec_elf32.c The argument length is in bytes; don't use howmany() 2017-01-25 17:56:45 +00:00
exec_elf64.c The argument length is in bytes; don't use howmany() 2017-01-25 17:56:45 +00:00
exec_script.c Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
exec_subr.c Export the guard size of the main thread via vm.guard_size. Add a 2017-07-02 16:41:32 +00:00
files.kern move setdisklabel(9) into a separate file. 2019-04-04 20:19:07 +00:00
genlintstub.awk
init_main.c Implement an aggressive psref leak detector 2019-05-17 03:34:26 +00:00
init_sysctl.c remove kern.panic_now -- crashme panic node replaces it. 2019-01-15 07:11:23 +00:00
init_sysctl_base.c Allow architectures to define a macro PROC_MACHINE_ARCH(P) and 2017-10-31 12:37:23 +00:00
init_sysent.c Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
kern_acct.c fix flatly wrong indent 2019-05-26 19:23:04 +00:00
kern_auth.c Rename min/max -> uimin/uimax for better honesty. 2018-09-03 16:29:22 +00:00
kern_cctr.c
kern_cfglock.c
kern_clock.c C99 initializers for intr_timecounter. 2018-09-03 21:29:30 +00:00
kern_condvar.c Apply C99-style struct initialization to syncobj_t 2018-01-30 07:52:22 +00:00
kern_core.c
kern_cpu.c Fix/add KASSERTS to work with a system of MAXCPUS. Add some comments to 2018-11-13 11:06:19 +00:00
kern_crashme.c clang does not like to deref a null pointer unless it is qualified volatile 2019-01-13 00:11:29 +00:00
kern_ctf.c merge a new version of the CDDL dtrace and ZFS code. 2018-05-28 21:04:59 +00:00
kern_descrip.c handle O_NOSIGPIPE too. 2019-02-20 19:42:14 +00:00
kern_drvctl.c - move export for devmon_insert_vec into sys/device.h. 2018-09-18 01:25:09 +00:00
kern_event.c Fix kernel info leak. There are 4 bytes of padding in struct kevent. 2018-11-13 06:58:14 +00:00
kern_exec.c Correct use-after-free issue in vfork(2) 2019-06-13 20:20:18 +00:00
kern_exit.c Correct use-after-free issue in vfork(2) 2019-06-13 20:20:18 +00:00
kern_fileassoc.c
kern_fork.c Correct use-after-free issue in vfork(2) 2019-06-13 20:20:18 +00:00
kern_history.c Rename min/max -> uimin/uimax for better honesty. 2018-09-03 16:29:22 +00:00
kern_hook.c
kern_idle.c
kern_ksyms.c use Elf_Sym ** instead of casting. 2017-11-04 22:17:55 +00:00
kern_ksyms_buf.c
kern_kthread.c KASSERT() that kthread_join()'s target is expecting to be joined. 2018-01-09 22:58:45 +00:00
kern_ktrace.c Rename min/max -> uimin/uimax for better honesty. 2018-09-03 16:29:22 +00:00
kern_ktrace_vfs.c
kern_lock.c Avoid prepending a timestamp to lock debug outputs on ddb 2019-05-09 05:00:31 +00:00
kern_lwp.c Stop trying to inform debugger about events from an exiting child 2019-06-04 11:54:03 +00:00
kern_malloc.c Provide a code argument in kasan_mark(), and give a code to each caller. 2019-04-07 09:20:04 +00:00
kern_module.c Improve error message 2019-06-11 15:20:57 +00:00
kern_module_vfs.c Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
kern_mutex.c Avoid prepending a timestamp to lock debug outputs on ddb 2019-05-09 05:00:31 +00:00
kern_mutex_obj.c Obtain proper initialized addresses of locks allocated by mutex_obj_alloc or rw_obj_alloc 2018-02-05 04:25:04 +00:00
kern_ntptime.c Zero out the ntptimeval structure to prevent a 4 byte kernel stack disclosure. 2018-10-29 22:02:25 +00:00
kern_pax.c fix typo 2017-06-25 04:10:47 +00:00
kern_physio.c Don't validate buffer size for tape I/O, this is already done by 2019-04-04 12:26:45 +00:00
kern_pmf.c expose pmf debug switches with sysctl. 2018-04-08 11:46:13 +00:00
kern_proc.c Add support for PTRACE_POSIX_SPAWN to report posix_spawn(3) events 2019-06-11 23:18:55 +00:00
kern_prot.c Make p_ppid contain the original parent's pid even for traced processes. 2016-11-13 15:25:01 +00:00
kern_ras.c
kern_rate.c
kern_reboot.c retire kern_xxx.c. long live kern_xxx.c. 2018-09-14 01:55:19 +00:00
kern_resource.c avoid underflow in user/system time. 2019-04-05 00:33:21 +00:00
kern_rndpool.c - add or adjust /* FALLTHROUGH */ where appropriate 2019-02-03 03:19:25 +00:00
kern_rndq.c Rename the MODULE_*_HOOK() macros to MODULE_HOOK_*() as briefly 2019-03-01 11:06:55 +00:00
kern_rndsink.c
kern_runq.c remove checks for failure after memory allocation calls that cannot fail: 2017-06-01 02:45:05 +00:00
kern_rwlock.c Avoid prepending a timestamp to lock debug outputs on ddb 2019-05-09 05:00:31 +00:00
kern_rwlock_obj.c Obtain proper initialized addresses of locks allocated by mutex_obj_alloc or rw_obj_alloc 2018-02-05 04:25:04 +00:00
kern_scdebug.c syscall debug - fix build when SYSCALL_DEBUG option is present in kernel config file 2019-03-14 19:51:49 +00:00
kern_sdt.c
kern_sig.c Correct inversed condition for dying process in sigswitch() 2019-06-13 00:07:19 +00:00
kern_sleepq.c
kern_softint.c Implement an aggressive psref leak detector 2019-05-17 03:34:26 +00:00
kern_ssp.c void duplicate definition on statically linking libc+ssp and rumpkern+ssp. 2016-12-06 02:55:42 +00:00
kern_stub.c remove extra #endif 2019-01-27 02:55:26 +00:00
kern_subr.c Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
kern_synch.c - add or adjust /* FALLTHROUGH */ where appropriate 2019-02-03 03:19:25 +00:00
kern_syscall.c Ship with syscall information with SIGTRAP TRAP_SCE/TRAP_SCX for tracers 2019-05-06 08:05:03 +00:00
kern_sysctl.c print the names of the sysctl nodes in the KASSERT. 2019-01-28 15:56:12 +00:00
kern_tc.c Revert "Sprinkle cold conditionals to make tc_ticktock before inittimecounter." 2018-07-01 15:12:06 +00:00
kern_threadpool.c Use PRIu64 for "uint64_t tp_refcnt". 2019-01-17 10:18:52 +00:00
kern_time.c Fix the code that deals with very long sleeps (> 248 days) which 2019-03-10 14:45:53 +00:00
kern_timeout.c Undo previous, in the name of "defined" behaviour, it breaks things. 2019-03-10 13:44:49 +00:00
kern_todr.c
kern_turnstile.c
kern_uidinfo.c PR/53998: Joel Bertrand: Limit the number of semaphores on a 2019-03-01 03:03:19 +00:00
kern_uuid.c
kern_veriexec.c Document that veriexec_file_add() also expects keep-filename and eval-on-load. 2019-04-28 21:36:19 +00:00
kgdb_stub.c
makesyscalls.sh Refactor the numeric validity check just added, so the error 2018-08-26 11:53:28 +00:00
sched_4bsd.c Rename min/max -> uimin/uimax for better honesty. 2018-09-03 16:29:22 +00:00
sched_m2.c Rename min/max -> uimin/uimax for better honesty. 2018-09-03 16:29:22 +00:00
subr_asan.c Rewrite kasan_mark() to fix a still existing race in pool_cache_get_paddr() 2019-05-04 17:19:10 +00:00
subr_autoconf.c Fix compile error. 2018-12-01 02:08:16 +00:00
subr_blist.c fix number of arguments of kmem_alloc and kmem_zalloc macro. ok skrll. 2017-02-13 16:53:41 +00:00
subr_bufq.c rename module_name to strategy_module_name to avoid fatal shadowing of 2019-02-17 23:17:41 +00:00
subr_callback.c
subr_copy.c Exclude references to _ucas_{32,64}_mp() for _RUMPKERNEL. 2019-04-07 16:27:41 +00:00
subr_cprng.c Allow attaching for write, but return no events. 2017-12-01 19:05:49 +00:00
subr_cpufreq.c
subr_debug.c
subr_device.c
subr_devsw.c Add two utility functions to help use kmem with strings: kmem_strdupsize, 2017-11-07 18:35:57 +00:00
subr_disk.c Implement disk_rename()/iostat_rename() to rename a disk. 2019-05-22 08:47:02 +00:00
subr_disk_mbr.c Factor out the magic checking code for the label, and make it not depend 2019-05-17 18:50:40 +00:00
subr_disk_open.c Fix vnode locking for opendisk(), must lock for VOP_OPEN(). 2019-02-20 10:02:51 +00:00
subr_disklabel.c Fix previous. We define _KERNEL for rump in opt_rumpkernel.h. 2019-04-07 02:58:02 +00:00
subr_emul.c Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
subr_evcnt.c Fix kernel pointer leaks in sysctl_doevcnt. 2018-11-24 17:40:37 +00:00
subr_exec_fd.c Update comment to match existing function name. 2019-04-08 13:05:23 +00:00
subr_extent.c Don't take the mutex in extent_print if EX_EARLY 2017-12-31 09:25:19 +00:00
subr_hash.c
subr_humanize.c This had a similar problem to that reported in PR lib/54053 2019-03-12 00:25:44 +00:00
subr_interrupt.c - don't return ENOMEM for errors not related to memory 2018-01-28 22:24:58 +00:00
subr_iostat.c Implement disk_rename()/iostat_rename() to rename a disk. 2019-05-22 08:47:02 +00:00
subr_ipi.c Add an ipi_trigger_broadcast() call, like ipi_trigger_multi() but to the 2019-04-06 02:59:05 +00:00
subr_kcov.c Drop no longer available macros KCOV_STORE() KCOV_LOAD() in kcov(4) 2019-05-26 05:41:45 +00:00
subr_kcpuset.c
subr_kleak.c Improve error handling, doesn't matter a lot, but still. 2018-12-10 07:24:49 +00:00
subr_kmem.c Provide a code argument in kasan_mark(), and give a code to each caller. 2019-04-07 09:20:04 +00:00
subr_kobj.c add a kobj_error() to a recently added error case 2018-06-23 14:22:30 +00:00
subr_kobj_vfs.c remove checks for failure after memory allocation calls that cannot fail: 2017-06-01 02:45:05 +00:00
subr_localcount.c Implement a debugging facility (overflow/underflow detection) for localcount 2017-11-17 09:26:36 +00:00
subr_lockdebug.c changes of r1.68 was reverted by r1.69. apply it again. 2019-05-28 07:39:16 +00:00
subr_log.c Rename min/max -> uimin/uimax for better honesty. 2018-09-03 16:29:22 +00:00
subr_lwp_specificdata.c Implement an aggressive psref leak detector 2019-05-17 03:34:26 +00:00
subr_once.c add INIT_ONCE(9), FINI_ONCE(9) with changing once_t. 2019-03-19 08:16:51 +00:00
subr_optstr.c
subr_pcq.c Typos. 2018-02-08 09:05:16 +00:00
subr_pcu.c PR port-arm/52603: 2017-10-16 15:03:57 +00:00
subr_percpu.c vmem_alloc() with VM_SLEEP cannot fail, so percpu_alloc() cannot fail either. 2017-05-31 23:54:17 +00:00
subr_physmap.c
subr_pool.c make pool assertion messages consistent. 2019-06-13 01:13:12 +00:00
subr_prf.c put back line accidentally removed. 2019-05-21 04:57:02 +00:00
subr_prof.c Overhaul the API used to fetch and store individual memory cells in 2019-04-06 03:06:23 +00:00
subr_pserialize.c Change the place to check if a context switch doesn't happen within a pserialize read section 2018-08-14 01:06:01 +00:00
subr_psref.c Implement an aggressive psref leak detector 2019-05-17 03:34:26 +00:00
subr_specificdata.c remove checks for failure after memory allocation calls that cannot fail: 2017-06-01 02:45:05 +00:00
subr_spldebug.c
subr_syscall_stats.c Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
subr_tftproot.c tftproot_getfile(): return E2BIG when bootfile is to long. 2019-01-20 21:26:13 +00:00
subr_thmap.c pass a pointer to atomic_cas_ptr_p(), not an (equiv) integer. 2019-02-04 08:00:27 +00:00
subr_time.c make _lwp_park return the remaining time to sleep in the "ts" argument 2017-12-08 01:19:29 +00:00
subr_userconf.c call cnpollc(1) and cnpollc(0) around cngetc(). 2018-09-16 23:18:55 +00:00
subr_vmem.c Typos. 2018-02-08 09:05:16 +00:00
subr_workqueue.c Don't wait on workqueue_wait if called from worker itself 2018-06-13 05:26:12 +00:00
subr_xcall.c Spinkle ASSERT_SLEEPABLE to xcall functions 2018-02-07 04:25:09 +00:00
sys_aio.c Introduce PR_ZERO to avoid open-coding memset()s everywhere. OK riastradh@. 2019-02-10 17:13:33 +00:00
sys_descrip.c provide more info about who is getting ERESTART. 2019-05-21 18:09:31 +00:00
sys_generic.c remove checks for failure after memory allocation calls that cannot fail: 2017-06-01 02:45:05 +00:00
sys_lwp.c Register KTR events for debugger related signals 2019-05-03 22:34:21 +00:00
sys_module.c Rename the MODULE_*_HOOK() macros to MODULE_HOOK_*() as briefly 2019-03-01 11:06:55 +00:00
sys_mqueue.c mq_send1: fix argument validation and reject too large lengths early. 2019-04-16 01:02:41 +00:00
sys_pipe.c Handle half-closed pipes in FIONWRITE and FIONSPACE. 2019-04-26 17:24:23 +00:00
sys_process.c Paranoia... keep vmspace reference while doing pmap_procwr 2017-04-13 07:58:45 +00:00
sys_pset.c Handle the case when a CPU is assigned to a set it is already a member of. 2018-12-09 23:05:02 +00:00
sys_ptrace.c handle siginfo requests for ptrace32 2017-12-17 20:59:27 +00:00
sys_ptrace_common.c Add support for PTRACE_POSIX_SPAWN to report posix_spawn(3) events 2019-06-11 23:18:55 +00:00
sys_sched.c
sys_select.c Add slop of 1000 and explain why. 2019-05-08 00:55:18 +00:00
sys_sig.c Fix kernel info leak, 4 bytes of padding in struct _ksiginfo. Maybe we 2018-12-01 14:05:33 +00:00
sys_socket.c soo_fcntl is identical to fnullop_fcntl, use the latter 2018-12-04 00:18:05 +00:00
sys_syscall.c Introduce KLEAK, a new feature that can detect kernel information leaks. 2018-12-02 21:00:13 +00:00
syscalls.c Regen 2018-08-10 21:47:14 +00:00
syscalls.conf Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
syscalls.master Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
syscalls_autoload.c Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
systrace_args.c Regen 2018-08-10 21:47:14 +00:00
sysv_ipc.c Replace some "panic()" calls with simple "printf() ; return error" 2019-04-10 10:03:50 +00:00
sysv_msg.c Replace some "panic()" calls with simple "printf() ; return error" 2019-04-10 10:03:50 +00:00
sysv_sem.c Replace some "panic()" calls with simple "printf() ; return error" 2019-04-10 10:03:50 +00:00
sysv_shm.c shmctl(SHM_LOCK) does not need to mess with mappings of the shm segment, 2019-06-10 00:35:47 +00:00
tty.c Rename the MODULE_*_HOOK() macros to MODULE_HOOK_*() as briefly 2019-03-01 11:06:55 +00:00
tty_bsdpty.c
tty_conf.c
tty_ptm.c Rename the MODULE_*_HOOK() macros to MODULE_HOOK_*() as briefly 2019-03-01 11:06:55 +00:00
tty_pty.c Fix reporting EOF via kevent and add a test case 2019-02-15 18:57:15 +00:00
tty_subr.c remove checks for failure after memory allocation calls that cannot fail: 2017-06-01 02:45:05 +00:00
tty_tty.c
uipc_accf.c
uipc_domain.c Fix apparent race. 2018-12-27 07:56:43 +00:00
uipc_mbuf.c Fix ipsecif(4) cannot apply input direction packet filter. Reviewed by ozaki-r@n.o and ryo@n.o. 2019-01-17 02:47:15 +00:00
uipc_mbufdebug.c KNF. No functional change. 2018-10-18 05:44:19 +00:00
uipc_proto.c
uipc_sem.c PR/53998: Joel Bertrand: Limit the number of semaphores on a 2019-03-01 03:03:19 +00:00
uipc_socket.c Add XXXs for SCTP bugs. 2019-06-01 15:20:51 +00:00
uipc_socket2.c - Introduce a new SO_RERROR socket option to explicitly turn on 2018-11-04 16:30:28 +00:00
uipc_syscalls.c sys_recvmmsg: don't defer an error that already gets returned. 2018-11-12 09:21:13 +00:00
uipc_usrreq.c Fix typo in comment (s/seperate/separate/). 2019-06-03 06:04:20 +00:00
vfs_bio.c Fix kernel pointer leaks in sysctl_dobuf. While here constify argument. 2018-11-24 17:52:39 +00:00
vfs_cache.c Summarize lifetime of cache entries. 2017-03-18 22:36:56 +00:00
vfs_cwd.c
vfs_dirhash.c Introduce PR_ZERO to avoid open-coding memset()s everywhere. OK riastradh@. 2019-02-10 17:13:33 +00:00
vfs_getcwd.c Don't walk off the end of the dirent buffer. 2017-07-28 15:37:23 +00:00
vfs_hooks.c
vfs_init.c Move pnbuf_cache into vfs_init.c, where it belongs. 2019-03-28 18:12:24 +00:00
vfs_lockf.c
vfs_lookup.c With TRYEMULROOT namei_getstartdir() gets used twice so have to 2019-03-17 10:14:52 +00:00
vfs_mount.c Move fstrans_unmount() to vfs_rele(), just before it would free the mount. 2019-02-20 10:08:37 +00:00
vfs_quotactl.c
vfs_subr.c Add "void *extra" argument to vcache_new() so a file system may 2019-01-01 10:06:54 +00:00
vfs_syscalls.c do_sys_mkdir(): pass the requested segment down to do_sys_mkdirat(). 2019-05-13 08:17:30 +00:00
vfs_trans.c Walk down to the lowest mount for "fli_alias". 2019-05-13 08:16:56 +00:00
vfs_vnode.c Attach "mnt_transinfo" to "dead_rootmount" so every mount has a 2019-02-20 10:07:27 +00:00
vfs_vnops.c Change vn_openchk() to fail VNON and VBAD with error ENXIO. 2019-03-07 11:09:48 +00:00
vfs_wapbl.c constify wapbl_ops 2018-12-10 21:19:33 +00:00
vfs_xattr.c
vnode_if.c Regen. 2017-07-12 09:31:59 +00:00
vnode_if.sh Operations fstrans_start() and fstrans_start_nowait() now always 2017-06-04 08:03:26 +00:00
vnode_if.src As VOP_ADVLOCK() may block indefinitely we cannot take fstrans here. 2017-07-12 09:31:07 +00:00