Date: Tue, 10 Jul 2001 18:59:57 -0700 From: Dima Dorfman <dima@unixfreak.org> To: Jason DiCioccio <jdicioccio@epylon.com> Cc: "'security@freebsd.org'" <security@freebsd.org>, kris@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: Message-ID: <20010711015958.0921D3E28@bazooka.unixfreak.org> In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA02FFEFA1@goofy.epylon.lan>; from jdicioccio@epylon.com on "Tue, 10 Jul 2001 09:27:27 -0700"
next in thread | previous in thread | raw e-mail | index | archive | help
Jason DiCioccio <jdicioccio@epylon.com> writes: > So then I'm guessing this has been 3.5-STABLE is not vulnerable? > Just want to be sure :-) What makes you say that? The necessary fix isn't present in RELENG_3, and I doubt that there's something else which hides the issue. I've attached a patch for RELENG_3 that merges the fix. Kris, any reason this shouldn't be applied? Dima Dorfman dima@unixfreak.org Index: kern_exec.c =================================================================== RCS file: /stl/src/FreeBSD/src/sys/kern/kern_exec.c,v retrieving revision 1.93.2.5 diff -u -r1.93.2.5 kern_exec.c --- kern_exec.c 2001/06/16 23:41:58 1.93.2.5 +++ kern_exec.c 2001/07/11 01:58:17 @@ -39,9 +39,9 @@ #include <sys/imgact.h> #include <sys/imgact_elf.h> #include <sys/wait.h> +#include <sys/malloc.h> #include <sys/proc.h> #include <sys/pioctl.h> -#include <sys/malloc.h> #include <sys/namei.h> #include <sys/sysent.h> #include <sys/shm.h> @@ -56,6 +56,7 @@ #include <vm/pmap.h> #include <vm/vm_page.h> #include <vm/vm_map.h> +#include <sys/user.h> #include <vm/vm_kern.h> #include <vm/vm_extern.h> #include <vm/vm_object.h> @@ -229,6 +230,27 @@ p->p_fd = tmp; } + /* + * For security and other reasons, signal handlers cannot + * be shared after an exec. The new proces gets a copy of the old + * handlers. In execsigs(), the new process wll have its signals + * reset. + */ + if (p->p_procsig->ps_refcnt > 1) { + struct procsig *newprocsig; + + MALLOC(newprocsig, struct procsig *, sizeof(struct procsig), + M_SUBPROC, M_WAITOK); + bcopy(p->p_procsig, newprocsig, sizeof(*newprocsig)); + p->p_procsig->ps_refcnt--; + p->p_procsig = newprocsig; + p->p_procsig->ps_refcnt = 1; + if (p->p_sigacts == &p->p_addr->u_sigacts) + panic("shared procsig but private sigacts?\n"); + + p->p_addr->u_sigacts = *p->p_sigacts; + p->p_sigacts = &p->p_addr->u_sigacts; + } /* Stop profiling */ stopprofclock(p); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010711015958.0921D3E28>