procdesc: Make sure to drain selinfo sleepers in procdesc_free()

Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.

Remove the PDF_SELECTED micro-optimization.  doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.

Add some regression tests.

Approved by:	so
Security:	FreeBSD-SA-26:19.file
Security:	CVE-2026-45251
Reported by:	75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by:	kib, oshogbo
Fixes:		cfb5f76865 ("Add experimental support for process descriptors")
Differential Revision:	https://reviews.freebsd.org/D56887
This commit is contained in:
Mark Johnston
2026-05-08 13:03:49 +00:00
parent c028080749
commit 4b6a23eb8a
4 changed files with 89 additions and 9 deletions
+3 -7
View File
@@ -274,6 +274,7 @@ procdesc_free(struct procdesc *pd)
if (pd->pd_pid != -1)
proc_id_clear(PROC_ID_PID, pd->pd_pid);
seldrain(&pd->pd_selinfo);
knlist_destroy(&pd->pd_selinfo.si_note);
PROCDESC_LOCK_DESTROY(pd);
free(pd, M_PROCDESC);
@@ -316,10 +317,7 @@ procdesc_exit(struct proc *p)
procdesc_free(pd);
return (1);
}
if (pd->pd_flags & PDF_SELECTED) {
pd->pd_flags &= ~PDF_SELECTED;
selwakeup(&pd->pd_selinfo);
}
selwakeup(&pd->pd_selinfo);
KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT);
PROCDESC_UNLOCK(pd);
@@ -438,10 +436,8 @@ procdesc_poll(struct file *fp, int events, struct ucred *active_cred,
PROCDESC_LOCK(pd);
if (pd->pd_flags & PDF_EXITED)
revents |= POLLHUP;
if (revents == 0) {
else
selrecord(td, &pd->pd_selinfo);
pd->pd_flags |= PDF_SELECTED;
}
PROCDESC_UNLOCK(pd);
return (revents);
}
-1
View File
@@ -86,7 +86,6 @@ struct procdesc {
* Flags for the pd_flags field.
*/
#define PDF_CLOSED 0x00000001 /* Descriptor has closed. */
#define PDF_SELECTED 0x00000002 /* Issue selwakeup(). */
#define PDF_EXITED 0x00000004 /* Process exited. */
#define PDF_DAEMON 0x00000008 /* Don't exit when procdesc closes. */
+1
View File
@@ -104,6 +104,7 @@ LIBADD.kcov+= pthread
CFLAGS.ktls_test+= -DOPENSSL_API_COMPAT=0x10100000L
LIBADD.ktls_test+= crypto util
LIBADD.listener_wakeup+= pthread
LIBADD.procdesc+= pthread
LIBADD.shutdown_dgram+= pthread
LIBADD.socket_msg_waitall+= pthread
LIBADD.socket_splice+= pthread
+85 -1
View File
@@ -2,6 +2,7 @@
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright (c) 2026 ConnectWise
* Copyright (c) 2026 Mark Johnston <markj@FreeBSD.org>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -32,8 +33,12 @@
#include <sys/sysctl.h>
#include <sys/wait.h>
#include <atf-c.h>
#include <poll.h>
#include <pthread.h>
#include <stdio.h>
#include <unistd.h>
#include <atf-c.h>
/* Tests for procdesc(4) that aren't specific to any one syscall */
@@ -90,9 +95,88 @@ ATF_TC_BODY(pid_recycle, tc)
close(pd);
}
static void *
poll_procdesc(void *arg)
{
struct pollfd pfd;
pfd.fd = *(int *)arg;
pfd.events = POLLHUP;
(void)poll(&pfd, 1, 5000);
return ((void *)(uintptr_t)pfd.revents);
}
/*
* Regression test to exercise the case where a procdesc is closed while a
* thread is poll()ing it.
*/
ATF_TC_WITHOUT_HEAD(poll_close_race);
ATF_TC_BODY(poll_close_race, tc)
{
pthread_t thr;
pid_t pid;
uintptr_t revents;
int error, pd;
pid = pdfork(&pd, PD_DAEMON);
ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno));
if (pid == 0) {
pause();
_exit(0);
}
error = pthread_create(&thr, NULL, poll_procdesc, &pd);
ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error));
/* Wait for the thread to block in poll(2). */
usleep(250000);
ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno));
error = pthread_join(thr, (void *)&revents);
ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error));
ATF_REQUIRE_EQ(revents, POLLNVAL);
}
/*
* Verify that poll(2) of a procdesc returns POLLHUP when the process exits.
*/
ATF_TC_WITHOUT_HEAD(poll_exit_wakeup);
ATF_TC_BODY(poll_exit_wakeup, tc)
{
pthread_t thr;
uintptr_t revents;
pid_t pid;
int error, pd;
pid = pdfork(&pd, PD_DAEMON);
ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno));
if (pid == 0) {
pause();
_exit(0);
}
error = pthread_create(&thr, NULL, poll_procdesc, &pd);
ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error));
/* Wait for the thread to block in poll(2). */
usleep(250000);
ATF_REQUIRE_MSG(pdkill(pd, SIGKILL) == 0,
"pdkill: %s", strerror(errno));
error = pthread_join(thr, (void *)&revents);
ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error));
ATF_REQUIRE_EQ(revents, POLLHUP);
ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno));
}
ATF_TP_ADD_TCS(tp)
{
ATF_TP_ADD_TC(tp, pid_recycle);
ATF_TP_ADD_TC(tp, poll_close_race);
ATF_TP_ADD_TC(tp, poll_exit_wakeup);
return (atf_no_error());
}