procdesc: Make sure to drain selinfo sleepers in procdesc_free()
Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.
Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by: kib, oshogbo
Fixes: cfb5f76865 ("Add experimental support for process descriptors")
Differential Revision: https://reviews.freebsd.org/D56887
This commit is contained in:
@@ -274,6 +274,7 @@ procdesc_free(struct procdesc *pd)
|
||||
if (pd->pd_pid != -1)
|
||||
proc_id_clear(PROC_ID_PID, pd->pd_pid);
|
||||
|
||||
seldrain(&pd->pd_selinfo);
|
||||
knlist_destroy(&pd->pd_selinfo.si_note);
|
||||
PROCDESC_LOCK_DESTROY(pd);
|
||||
free(pd, M_PROCDESC);
|
||||
@@ -316,10 +317,7 @@ procdesc_exit(struct proc *p)
|
||||
procdesc_free(pd);
|
||||
return (1);
|
||||
}
|
||||
if (pd->pd_flags & PDF_SELECTED) {
|
||||
pd->pd_flags &= ~PDF_SELECTED;
|
||||
selwakeup(&pd->pd_selinfo);
|
||||
}
|
||||
selwakeup(&pd->pd_selinfo);
|
||||
KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT);
|
||||
PROCDESC_UNLOCK(pd);
|
||||
|
||||
@@ -438,10 +436,8 @@ procdesc_poll(struct file *fp, int events, struct ucred *active_cred,
|
||||
PROCDESC_LOCK(pd);
|
||||
if (pd->pd_flags & PDF_EXITED)
|
||||
revents |= POLLHUP;
|
||||
if (revents == 0) {
|
||||
else
|
||||
selrecord(td, &pd->pd_selinfo);
|
||||
pd->pd_flags |= PDF_SELECTED;
|
||||
}
|
||||
PROCDESC_UNLOCK(pd);
|
||||
return (revents);
|
||||
}
|
||||
|
||||
@@ -86,7 +86,6 @@ struct procdesc {
|
||||
* Flags for the pd_flags field.
|
||||
*/
|
||||
#define PDF_CLOSED 0x00000001 /* Descriptor has closed. */
|
||||
#define PDF_SELECTED 0x00000002 /* Issue selwakeup(). */
|
||||
#define PDF_EXITED 0x00000004 /* Process exited. */
|
||||
#define PDF_DAEMON 0x00000008 /* Don't exit when procdesc closes. */
|
||||
|
||||
|
||||
@@ -104,6 +104,7 @@ LIBADD.kcov+= pthread
|
||||
CFLAGS.ktls_test+= -DOPENSSL_API_COMPAT=0x10100000L
|
||||
LIBADD.ktls_test+= crypto util
|
||||
LIBADD.listener_wakeup+= pthread
|
||||
LIBADD.procdesc+= pthread
|
||||
LIBADD.shutdown_dgram+= pthread
|
||||
LIBADD.socket_msg_waitall+= pthread
|
||||
LIBADD.socket_splice+= pthread
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
* SPDX-License-Identifier: BSD-2-Clause
|
||||
*
|
||||
* Copyright (c) 2026 ConnectWise
|
||||
* Copyright (c) 2026 Mark Johnston <markj@FreeBSD.org>
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -32,8 +33,12 @@
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <atf-c.h>
|
||||
#include <poll.h>
|
||||
#include <pthread.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <atf-c.h>
|
||||
|
||||
/* Tests for procdesc(4) that aren't specific to any one syscall */
|
||||
|
||||
@@ -90,9 +95,88 @@ ATF_TC_BODY(pid_recycle, tc)
|
||||
close(pd);
|
||||
}
|
||||
|
||||
static void *
|
||||
poll_procdesc(void *arg)
|
||||
{
|
||||
struct pollfd pfd;
|
||||
|
||||
pfd.fd = *(int *)arg;
|
||||
pfd.events = POLLHUP;
|
||||
(void)poll(&pfd, 1, 5000);
|
||||
return ((void *)(uintptr_t)pfd.revents);
|
||||
}
|
||||
|
||||
/*
|
||||
* Regression test to exercise the case where a procdesc is closed while a
|
||||
* thread is poll()ing it.
|
||||
*/
|
||||
ATF_TC_WITHOUT_HEAD(poll_close_race);
|
||||
ATF_TC_BODY(poll_close_race, tc)
|
||||
{
|
||||
pthread_t thr;
|
||||
pid_t pid;
|
||||
uintptr_t revents;
|
||||
int error, pd;
|
||||
|
||||
pid = pdfork(&pd, PD_DAEMON);
|
||||
ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno));
|
||||
if (pid == 0) {
|
||||
pause();
|
||||
_exit(0);
|
||||
}
|
||||
|
||||
error = pthread_create(&thr, NULL, poll_procdesc, &pd);
|
||||
ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error));
|
||||
|
||||
/* Wait for the thread to block in poll(2). */
|
||||
usleep(250000);
|
||||
|
||||
ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno));
|
||||
|
||||
error = pthread_join(thr, (void *)&revents);
|
||||
ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error));
|
||||
ATF_REQUIRE_EQ(revents, POLLNVAL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify that poll(2) of a procdesc returns POLLHUP when the process exits.
|
||||
*/
|
||||
ATF_TC_WITHOUT_HEAD(poll_exit_wakeup);
|
||||
ATF_TC_BODY(poll_exit_wakeup, tc)
|
||||
{
|
||||
pthread_t thr;
|
||||
uintptr_t revents;
|
||||
pid_t pid;
|
||||
int error, pd;
|
||||
|
||||
pid = pdfork(&pd, PD_DAEMON);
|
||||
ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno));
|
||||
if (pid == 0) {
|
||||
pause();
|
||||
_exit(0);
|
||||
}
|
||||
|
||||
error = pthread_create(&thr, NULL, poll_procdesc, &pd);
|
||||
ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error));
|
||||
|
||||
/* Wait for the thread to block in poll(2). */
|
||||
usleep(250000);
|
||||
|
||||
ATF_REQUIRE_MSG(pdkill(pd, SIGKILL) == 0,
|
||||
"pdkill: %s", strerror(errno));
|
||||
|
||||
error = pthread_join(thr, (void *)&revents);
|
||||
ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error));
|
||||
ATF_REQUIRE_EQ(revents, POLLHUP);
|
||||
|
||||
ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno));
|
||||
}
|
||||
|
||||
ATF_TP_ADD_TCS(tp)
|
||||
{
|
||||
ATF_TP_ADD_TC(tp, pid_recycle);
|
||||
ATF_TP_ADD_TC(tp, poll_close_race);
|
||||
ATF_TP_ADD_TC(tp, poll_exit_wakeup);
|
||||
|
||||
return (atf_no_error());
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user