git: dab07b77a683 - stable/14 - procdesc: Make sure to drain selinfo sleepers in procdesc_free()

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 20 May 2026 19:37:56 UTC
The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=dab07b77a683ef7fd3eb4d2ca8a99e2f3ed785d9

commit dab07b77a683ef7fd3eb4d2ca8a99e2f3ed785d9
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-08 13:03:49 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-20 19:37:14 +0000

    procdesc: Make sure to drain selinfo sleepers in procdesc_free()
    
    Otherwise they are left on a freed list after procdesc_free() is called.
    This can be exploited to elevate privileges.
    
    Remove the PDF_SELECTED micro-optimization.  doselwakeup() is a no-op if
    no one ever called selrecord() on the file description, so I see no
    reason to complicate the code to avoid the call.
    
    Add some regression tests.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:19.file
    Security:       CVE-2026-45251
    Reported by:    75Acol, Lexpl0it, fcgboy, and robinzeng2015
    Reviewed by:    kib, oshogbo
    Fixes:          cfb5f7686588 ("Add experimental support for process descriptors")
    Differential Revision:  https://reviews.freebsd.org/D56887
---
 sys/kern/sys_procdesc.c   |  10 ++--
 sys/sys/procdesc.h        |   1 -
 tests/sys/kern/Makefile   |   2 +
 tests/sys/kern/procdesc.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 133 insertions(+), 8 deletions(-)

diff --git a/sys/kern/sys_procdesc.c b/sys/kern/sys_procdesc.c
index b2b638b6f99f..515d0365ec61 100644
--- a/sys/kern/sys_procdesc.c
+++ b/sys/kern/sys_procdesc.c
@@ -273,6 +273,7 @@ procdesc_free(struct procdesc *pd)
 		KASSERT((pd->pd_flags & PDF_CLOSED),
 		    ("procdesc_free: !PDF_CLOSED"));
 
+		seldrain(&pd->pd_selinfo);
 		knlist_destroy(&pd->pd_selinfo.si_note);
 		PROCDESC_LOCK_DESTROY(pd);
 		free(pd, M_PROCDESC);
@@ -315,10 +316,7 @@ procdesc_exit(struct proc *p)
 		procdesc_free(pd);
 		return (1);
 	}
-	if (pd->pd_flags & PDF_SELECTED) {
-		pd->pd_flags &= ~PDF_SELECTED;
-		selwakeup(&pd->pd_selinfo);
-	}
+	selwakeup(&pd->pd_selinfo);
 	KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT);
 	PROCDESC_UNLOCK(pd);
 	return (0);
@@ -433,10 +431,8 @@ procdesc_poll(struct file *fp, int events, struct ucred *active_cred,
 	PROCDESC_LOCK(pd);
 	if (pd->pd_flags & PDF_EXITED)
 		revents |= POLLHUP;
-	if (revents == 0) {
+	else
 		selrecord(td, &pd->pd_selinfo);
-		pd->pd_flags |= PDF_SELECTED;
-	}
 	PROCDESC_UNLOCK(pd);
 	return (revents);
 }
diff --git a/sys/sys/procdesc.h b/sys/sys/procdesc.h
index 81102dffa6ff..56d625950a80 100644
--- a/sys/sys/procdesc.h
+++ b/sys/sys/procdesc.h
@@ -86,7 +86,6 @@ struct procdesc {
  * Flags for the pd_flags field.
  */
 #define	PDF_CLOSED	0x00000001	/* Descriptor has closed. */
-#define	PDF_SELECTED	0x00000002	/* Issue selwakeup(). */
 #define	PDF_EXITED	0x00000004	/* Process exited. */
 #define	PDF_DAEMON	0x00000008	/* Don't exit when procdesc closes. */
 
diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile
index 51d4aeeaedfc..c455b40747e8 100644
--- a/tests/sys/kern/Makefile
+++ b/tests/sys/kern/Makefile
@@ -27,6 +27,7 @@ ATF_TESTS_C+=	ktls_test
 .endif
 ATF_TESTS_C+=	ktrace_test
 ATF_TESTS_C+=	module_test
+ATF_TESTS_C+=	procdesc
 ATF_TESTS_C+=	ptrace_test
 TEST_METADATA.ptrace_test+=		timeout="15"
 ATF_TESTS_C+=	reaper
@@ -89,6 +90,7 @@ LIBADD.unix_seqpacket_test+=		pthread
 LIBADD.kcov+=				pthread
 CFLAGS.ktls_test+=			-DOPENSSL_API_COMPAT=0x10100000L
 LIBADD.ktls_test+=			crypto util
+LIBADD.procdesc+=			pthread
 LIBADD.socket_msg_waitall+=		pthread
 LIBADD.socket_splice+=			pthread
 LIBADD.sendfile_helper+=		pthread
diff --git a/tests/sys/kern/procdesc.c b/tests/sys/kern/procdesc.c
new file mode 100644
index 000000000000..7505e0e4bb94
--- /dev/null
+++ b/tests/sys/kern/procdesc.c
@@ -0,0 +1,128 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2026 ConnectWise
+ * Copyright (c) 2026 Mark Johnston <markj@FreeBSD.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/user.h>
+#include <sys/proc.h>
+#include <sys/procdesc.h>
+#include <sys/sysctl.h>
+#include <sys/wait.h>
+
+#include <poll.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <atf-c.h>
+
+/* Tests for procdesc(4) that aren't specific to any one syscall */
+
+static void *
+poll_procdesc(void *arg)
+{
+	struct pollfd pfd;
+
+	pfd.fd = *(int *)arg;
+	pfd.events = POLLHUP;
+	(void)poll(&pfd, 1, 5000);
+	return ((void *)(uintptr_t)pfd.revents);
+}
+
+/*
+ * Regression test to exercise the case where a procdesc is closed while a
+ * thread is poll()ing it.
+ */
+ATF_TC_WITHOUT_HEAD(poll_close_race);
+ATF_TC_BODY(poll_close_race, tc)
+{
+	pthread_t thr;
+	pid_t pid;
+	uintptr_t revents;
+	int error, pd;
+
+	pid = pdfork(&pd, PD_DAEMON);
+	ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno));
+	if (pid == 0) {
+		pause();
+		_exit(0);
+	}
+
+	error = pthread_create(&thr, NULL, poll_procdesc, &pd);
+	ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error));
+
+	/* Wait for the thread to block in poll(2). */
+	usleep(250000);
+
+	ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno));
+
+	error = pthread_join(thr, (void *)&revents);
+	ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error));
+	ATF_REQUIRE_EQ(revents, POLLNVAL);
+}
+
+/*
+ * Verify that poll(2) of a procdesc returns POLLHUP when the process exits.
+ */
+ATF_TC_WITHOUT_HEAD(poll_exit_wakeup);
+ATF_TC_BODY(poll_exit_wakeup, tc)
+{
+	pthread_t thr;
+	uintptr_t revents;
+	pid_t pid;
+	int error, pd;
+
+	pid = pdfork(&pd, PD_DAEMON);
+	ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno));
+	if (pid == 0) {
+		pause();
+		_exit(0);
+	}
+
+	error = pthread_create(&thr, NULL, poll_procdesc, &pd);
+	ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error));
+
+	/* Wait for the thread to block in poll(2). */
+	usleep(250000);
+
+	ATF_REQUIRE_MSG(pdkill(pd, SIGKILL) == 0,
+	    "pdkill: %s", strerror(errno));
+
+	error = pthread_join(thr, (void *)&revents);
+	ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error));
+	ATF_REQUIRE_EQ(revents, POLLHUP);
+
+	ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno));
+}
+
+ATF_TP_ADD_TCS(tp)
+{
+	ATF_TP_ADD_TC(tp, poll_close_race);
+	ATF_TP_ADD_TC(tp, poll_exit_wakeup);
+
+	return (atf_no_error());
+}