kern/46128: Use after free type problems in fork1()

[ad%netbsd.org@localhost]

>Number:         46128
>Category:       kern
>Synopsis:       Use after free type problems in fork1()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 02 13:25:00 +0000 2012
>Originator:     Andrew Doran
>Release:        -current
>Organization:
The NetBSD Project
>Environment:
N/A
>Description:
    563                 sched_enqueue(l2, false);
    564                 lwp_unlock(l2);
    565         }
    566         mutex_exit(p2->p_lock);
...
    573         while (p2->p_lflag & PL_PPWAIT)
    574                 cv_wait(&p1->p_waitcv, proc_lock);

Once we have made at least 1 trip through this loop (proc_lock
released), p2 may no longer exist or may have a different identity.

Suggest something like the following:

- Garbage collect PL_PPWAIT.
- Replace with p2->p_vforklwp.  References l1 (parent LWP).
- Add LP_PPWAIT to be set in l1->l_prflag (parent, locked by p1->p_lock).

Sequence:

Parent: set p2->p_vforklwp, SET(l1->l_prflag, LP_PPWAIT)
Parent: cv_wait() while TEST(l1->l_prflag, LP_PPWAIT)
Child: RESET(p2->p_vforklwp->l_prflag, LP_PPWAIT)
Child: clear p2->p_vforklwp, cv_broadcast()

    590          * Return child pid to parent process,
    591          * marking us as parent via retval[1].
    592          */
    593         if (retval != NULL) {
    594                 retval[0] = p2->p_pid;
    595                 retval[1] = 0;
    596         }

As above, must not touch p2 here.  Fix: move this block up
to set retval before we relinquish control of child process.
>How-To-Repeat:
Code inspection.
>Fix:
As above.