Back-in; problems were apparently elsewhere.

Put a reference count in struct process to prevent use-after-free
if the main thread reaches the reaper ahead of some other thread
in the process.  Use the reference count to update the user process
count correctly when changin real uid.

"please re-commit before something else nasty comes in" deraadt@

1 files changed, 5 insertions, 5 deletions

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 039b0cbad36..13c94cd0adb 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_prot.c,v 1.33 2008/10/10 14:35:06 deraadt Exp $	*/
+/*	$OpenBSD: kern_prot.c,v 1.34 2008/10/14 18:27:29 guenther Exp $	*/
 /*	$NetBSD: kern_prot.c,v 1.33 1996/02/09 18:59:42 christos Exp $	*/
 
 /*
@@ -377,8 +377,8 @@ sys_setresuid(struct proc *p, void *v, register_t *retval)
 		/*
 		 * Transfer proc count to new user.
 		 */
-		(void)chgproccnt(pc->p_ruid, -1);
-		(void)chgproccnt(ruid, 1);
+		(void)chgproccnt(pc->p_ruid, -p->p_p->ps_refcnt);
+		(void)chgproccnt(ruid, p->p_p->ps_refcnt);
 		pc->p_ruid = ruid;
 	}
 	if (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid) {
@@ -582,8 +582,8 @@ sys_setuid(struct proc *p, void *v, register_t *retval)
 		 * Transfer proc count to new user.
 		 */
 		if (uid != pc->p_ruid) {
-			(void)chgproccnt(pc->p_ruid, -1);
-			(void)chgproccnt(uid, 1);
+			(void)chgproccnt(pc->p_ruid, -p->p_p->ps_refcnt);
+			(void)chgproccnt(uid, p->p_p->ps_refcnt);
 		}
 		pc->p_ruid = uid;
 		pc->p_svuid = uid;