From f75b2ed9477738f86094e848e910734b4a913d14 Mon Sep 17 00:00:00 2001 From: mpi Date: Fri, 4 Dec 2020 15:16:45 +0000 Subject: Prevent a TOCTOU race in single_thread_set() by extending the scope of the lock. Make sure `ps_single' is set only once by checking then updating it without releasing the lock. Analyzed by and ok claudio@ --- sys/kern/kern_fork.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'sys/kern/kern_fork.c') diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 6d5f56091f2..169c7a05a64 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_fork.c,v 1.228 2020/12/02 22:35:32 mpi Exp $ */ +/* $OpenBSD: kern_fork.c,v 1.229 2020/12/04 15:16:45 mpi Exp $ */ /* $NetBSD: kern_fork.c,v 1.29 1996/02/09 18:59:34 christos Exp $ */ /* @@ -516,7 +516,7 @@ thread_fork(struct proc *curp, void *stack, void *tcb, pid_t *tidptr, struct proc *p; pid_t tid; vaddr_t uaddr; - int error; + int s, error; if (stack == NULL) return EINVAL; @@ -563,10 +563,12 @@ thread_fork(struct proc *curp, void *stack, void *tcb, pid_t *tidptr, * if somebody else wants to take us to single threaded mode, * count ourselves in. */ + SCHED_LOCK(s); if (pr->ps_single) { atomic_inc_int(&pr->ps_singlecount); atomic_setbits_int(&p->p_flag, P_SUSPSINGLE); } + SCHED_UNLOCK(s); /* * Return tid to parent thread and copy it out to userspace -- cgit v1.2.3-59-g8ed1b