Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Correct use-after-free issue in vfork(2)
details: https://anonhg.NetBSD.org/src/rev/6bdfdd9bcc7a
branches: trunk
changeset: 999664:6bdfdd9bcc7a
user: kamil <kamil%NetBSD.org@localhost>
date: Thu Jun 13 20:20:18 2019 +0000
description:
Correct use-after-free issue in vfork(2)
In the previous behavior vforking parent was keeping pointer to a child
and checking whether it clears a PL_PPWAIT in its bitfield p_lflag. However
a child can go invalid between exec/exit event from child and waking up
vforked parent and this can cause invalid pointer read and in the worst
scenario kernel crash.
In the new behavior vforked child keeps a reference to vforked parent LWP
and sets a value l_vforkwaiting to false. This means that vforked child
can finish its work, exec/exit and be terminated and once parent will be
woken up it will read its own field whether its child is still blocking.
Add new field in struct lwp: l_vforkwaiting protected by proc_lock.
In future it should be refactored and all PL_PPWAIT users transformed to
l_vforkwaiting and next l_vforkwaiting probably transformed into a bit
field.
This is another attempt of fixing this bug after <rmind> from 2012 in
commit:
Author: rmind <rmind%NetBSD.org@localhost>
Date: Sun Jul 22 22:40:18 2012 +0000
fork1: fix use-after-free problems. Addresses PR/46128 from Andrew Doran.
Note: PL_PPWAIT should be fully replaced and modificaiton of l_pflag by
other LWP is undesirable, but this is enough for netbsd-6.
The new version no longer performs unsafe access in l_lflag changing the
LP_VFORKWAIT bit.
Verified with ATF t_vfork and t_ptrace* tests and they are no longer
causing any issues in my local setup.
Fixes PR/46128 by Andrew Doran
diffstat:
sys/kern/kern_exec.c | 13 ++++++++++---
sys/kern/kern_exit.c | 12 +++++++++---
sys/kern/kern_fork.c | 13 +++++++------
sys/sys/lwp.h | 4 ++--
4 files changed, 28 insertions(+), 14 deletions(-)
diffs (143 lines):
diff -r a091acb7f62e -r 6bdfdd9bcc7a sys/kern/kern_exec.c
--- a/sys/kern/kern_exec.c Thu Jun 13 19:37:36 2019 +0000
+++ b/sys/kern/kern_exec.c Thu Jun 13 20:20:18 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.466 2019/06/11 23:18:55 kamil Exp $ */
+/* $NetBSD: kern_exec.c,v 1.467 2019/06/13 20:20:18 kamil Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.466 2019/06/11 23:18:55 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.467 2019/06/13 20:20:18 kamil Exp $");
#include "opt_exec.h"
#include "opt_execfmt.h"
@@ -1207,10 +1207,17 @@
* exited and exec()/exit() are the only places it will be cleared.
*/
if ((p->p_lflag & PL_PPWAIT) != 0) {
+ lwp_t *lp;
+
mutex_enter(proc_lock);
+ lp = p->p_vforklwp;
+ p->p_vforklwp = NULL;
+
l->l_lwpctl = NULL; /* was on loan from blocked parent */
p->p_lflag &= ~PL_PPWAIT;
- cv_broadcast(&p->p_pptr->p_waitcv);
+ lp->l_vforkwaiting = false;
+
+ cv_broadcast(&lp->l_waitcv);
mutex_exit(proc_lock);
}
diff -r a091acb7f62e -r 6bdfdd9bcc7a sys/kern/kern_exit.c
--- a/sys/kern/kern_exit.c Thu Jun 13 19:37:36 2019 +0000
+++ b/sys/kern/kern_exit.c Thu Jun 13 20:20:18 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exit.c,v 1.275 2019/05/17 03:34:26 ozaki-r Exp $ */
+/* $NetBSD: kern_exit.c,v 1.276 2019/06/13 20:20:18 kamil Exp $ */
/*-
* Copyright (c) 1998, 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.275 2019/05/17 03:34:26 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.276 2019/06/13 20:20:18 kamil Exp $");
#include "opt_ktrace.h"
#include "opt_dtrace.h"
@@ -342,9 +342,15 @@
*/
mutex_enter(proc_lock);
if (p->p_lflag & PL_PPWAIT) {
+ lwp_t *lp;
+
l->l_lwpctl = NULL; /* was on loan from blocked parent */
p->p_lflag &= ~PL_PPWAIT;
- cv_broadcast(&p->p_pptr->p_waitcv);
+
+ lp = p->p_vforklwp;
+ p->p_vforklwp = NULL;
+ lp->l_vforkwaiting = false;
+ cv_broadcast(&lp->l_waitcv);
}
if (SESS_LEADER(p)) {
diff -r a091acb7f62e -r 6bdfdd9bcc7a sys/kern/kern_fork.c
--- a/sys/kern/kern_fork.c Thu Jun 13 19:37:36 2019 +0000
+++ b/sys/kern/kern_fork.c Thu Jun 13 20:20:18 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_fork.c,v 1.212 2019/05/03 22:34:21 kamil Exp $ */
+/* $NetBSD: kern_fork.c,v 1.213 2019/06/13 20:20:18 kamil Exp $ */
/*-
* Copyright (c) 1999, 2001, 2004, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_fork.c,v 1.212 2019/05/03 22:34:21 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_fork.c,v 1.213 2019/06/13 20:20:18 kamil Exp $");
#include "opt_ktrace.h"
#include "opt_dtrace.h"
@@ -413,11 +413,12 @@
if (flags & FORK_PPWAIT) {
/* Mark ourselves as waiting for a child. */
- l1->l_pflag |= LP_VFORKWAIT;
p2->p_lflag = PL_PPWAIT;
+ l1->l_vforkwaiting = true;
p2->p_vforklwp = l1;
} else {
p2->p_lflag = 0;
+ l1->l_vforkwaiting = false;
}
p2->p_sflag = 0;
p2->p_slflag = 0;
@@ -610,10 +611,10 @@
/*
* Preserve synchronization semantics of vfork. If waiting for
- * child to exec or exit, sleep until it clears LP_VFORKWAIT.
+ * child to exec or exit, sleep until it clears p_vforkwaiting.
*/
- while (p2->p_lflag & PL_PPWAIT) // XXX: p2 can go invalid
- cv_wait(&p1->p_waitcv, proc_lock);
+ while (l1->l_vforkwaiting)
+ cv_wait(&l1->l_waitcv, proc_lock);
/*
* Let the parent know that we are tracing its child.
diff -r a091acb7f62e -r 6bdfdd9bcc7a sys/sys/lwp.h
--- a/sys/sys/lwp.h Thu Jun 13 19:37:36 2019 +0000
+++ b/sys/sys/lwp.h Thu Jun 13 20:20:18 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: lwp.h,v 1.183 2019/05/17 03:34:26 ozaki-r Exp $ */
+/* $NetBSD: lwp.h,v 1.184 2019/06/13 20:20:18 kamil Exp $ */
/*
* Copyright (c) 2001, 2006, 2007, 2008, 2009, 2010
@@ -132,6 +132,7 @@
callout_t l_timeout_ch; /* !: callout for tsleep */
u_int l_emap_gen; /* !: emap generation number */
kcondvar_t l_waitcv; /* a: vfork() wait */
+ bool l_vforkwaiting; /* a: vfork() waiting */
#if PCU_UNIT_COUNT > 0
struct cpu_info * volatile l_pcu_cpu[PCU_UNIT_COUNT];
@@ -256,7 +257,6 @@
#define LP_INTR 0x00000040 /* Soft interrupt handler */
#define LP_SYSCTLWRITE 0x00000080 /* sysctl write lock held */
#define LP_MUSTJOIN 0x00000100 /* Must join kthread on exit */
-#define LP_VFORKWAIT 0x00000200 /* Waiting at vfork() for a child */
#define LP_SINGLESTEP 0x00000400 /* Single step thread in ptrace(2) */
#define LP_TIMEINTR 0x00010000 /* Time this soft interrupt */
#define LP_PREEMPTING 0x00020000 /* mi_switch called involuntarily */
Home |
Main Index |
Thread Index |
Old Index