From 2e81cdb6cc15fd5647d615ece428d108f532fd67 Mon Sep 17 00:00:00 2001 From: guenther Date: Tue, 14 Oct 2008 18:27:29 +0000 Subject: Back-in; problems were apparently elsewhere. Put a reference count in struct process to prevent use-after-free if the main thread reaches the reaper ahead of some other thread in the process. Use the reference count to update the user process count correctly when changin real uid. "please re-commit before something else nasty comes in" deraadt@ --- sys/kern/kern_fork.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'sys/kern/kern_fork.c') diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 83ad6805002..4d435e85aa2 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_fork.c,v 1.97 2008/10/10 14:35:06 deraadt Exp $ */ +/* $OpenBSD: kern_fork.c,v 1.98 2008/10/14 18:27:29 guenther Exp $ */ /* $NetBSD: kern_fork.c,v 1.29 1996/02/09 18:59:34 christos Exp $ */ /* @@ -161,6 +161,7 @@ process_new(struct proc *newproc, struct proc *parent) pr->ps_mainproc = newproc; TAILQ_INIT(&pr->ps_threads); TAILQ_INSERT_TAIL(&pr->ps_threads, newproc, p_thr_link); + pr->ps_refcnt = 1; newproc->p_p = pr; } @@ -231,6 +232,7 @@ fork1(struct proc *p1, int exitsig, int flags, void *stack, size_t stacksize, atomic_setbits_int(&p2->p_flag, P_THREAD); p2->p_p = p1->p_p; TAILQ_INSERT_TAIL(&p2->p_p->ps_threads, p2, p_thr_link); + p2->p_p->ps_refcnt++; } else { process_new(p2, p1); } -- cgit v1.2.3-59-g8ed1b