From nobody Sun Jun 21 11:48:00 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gjqMj2ZVcz6jZGv for ; Sun, 21 Jun 2026 11:48:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "YR1" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gjqMh69qHz3WHw for ; Sun, 21 Jun 2026 11:48:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782042480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rfTqqrdlo/AZ42QbSqbdN2EEDsRf3rwDVqX8QJRa9PE=; b=NiKxZ036TdewNb7RwiznEcsB5FSbiW2J98mJKpF1AnXy3dvfhv53FokrknkNY0FM2vOT1I GQZdpxF7YCSbYK/HP/+4tDThkC6xlIAVw51N31ID/S0HrRyzKlYxpBtHy+e7N0DSNBwTLs Dsbo26epciYlPovhwZVn+22G7NmzfDHeZCnhVyNizHgwfSQNGJBxKKzuWBnPYjPOECendj +vnx6CRGku1sg4eFDlzqi/g/yWkxVp07dFQrBkXj1L6yP02r8UfqagDctZ0BbNxCs3H9Q9 aB4GLKfFeEETTmE36bFtH1In+F8Mn1UsjfA6dqGwJYbZ6hGuZPzU0cQvlIS5cQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782042480; a=rsa-sha256; cv=none; b=mtJoKpcij/PeoZL9LKF2Z5fMfJgBFTJBZA7Vrwnjfps3C9M4OxKzLZSngDV3IZlzWT7EA7 GDEjBtc2WHNmmTn7EmADziu0tLC8VP/DsW4MuvcoY47qd+aTbVnX9yqz8XUYgjYfgh5dl9 i0B8TwHfcZtAwzG2JaAZgZsCgPmIemVU6IOyC6MtHYf7c/3jM9lHvoZyy4g2eK57QKhmv8 Ir40Pj+G1/M1mRWO7SL92zGImgM2+0aREJy3Bq7waUcrp6fCtZYeG7RKeE1XsRPKYimYqv lSqLnOMA/8d+kSwPHySln8EtLEMG4TFko22XdFGchEIpFYFSgD3STjb9Ns1oiQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782042480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rfTqqrdlo/AZ42QbSqbdN2EEDsRf3rwDVqX8QJRa9PE=; b=a/RMKh+zxRZ6QH/Ngwxmz+vooVktBekSQfGGJiVbajzLNxsBwHmK1l9/mbRWoK7gr2XsiG FUkuBpFhREu7jzOtawKtyrV0SGLdtoBkQ8aIe9WnIj3w+aakulKti9qkd6wSfdc6LIwOSG TyLLEkdyD/CrMTI9qhiFIlRrlfgEU5T56Ev3mTNIvKzWK2wlloI2btddRJIhqxu04F7jEm 2bnH9kx6ra4ION30ZSpoDDQuuRNshgd5+qhTVOf/6E2mgibaI60VLi1VDnLxrXY6UL3v7u JHqwxZo3pJkFWwqxmHIly81iTYvbEP4gudJ1vxd2rfdSXe36KWMHGL97nrsN1g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gjqMh4y1tz1FG0 for ; Sun, 21 Jun 2026 11:48:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 24274 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 21 Jun 2026 11:48:00 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: e1b0d051bbf7 - main - proc: Allow to make proc_rwmem() operate on a consistent address space List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e1b0d051bbf7e4e730470cbd6622f71a639834c3 Auto-Submitted: auto-generated Date: Sun, 21 Jun 2026 11:48:00 +0000 Message-Id: <6a37cf70.24274.1e80d1a4@gitrepo.freebsd.org> The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=e1b0d051bbf7e4e730470cbd6622f71a639834c3 commit e1b0d051bbf7e4e730470cbd6622f71a639834c3 Author: Konstantin Belousov AuthorDate: 2026-06-07 17:57:06 +0000 Commit: Konstantin Belousov CommitDate: 2026-06-21 11:46:52 +0000 proc: Allow to make proc_rwmem() operate on a consistent address space Provide proc_vmspace_ref() to safely obtain the reference to the target process vmspace, optionally - requiring that the target cannot execve(2) and thus cannot change its vmspace until vmspace in unreferenced - requiring the check of permissions of the caller after the vmspace reference is obtained, since the process lock might have been dropped in the process. Reviewed by: markj Tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D57497 --- sys/fs/cuse/cuse.c | 4 +- sys/fs/procfs/procfs_mem.c | 2 +- sys/kern/kern_prot.c | 10 ++-- sys/kern/sys_process.c | 127 ++++++++++++++++++++++++++++++++++++++------- sys/sys/ptrace.h | 15 +++++- 5 files changed, 129 insertions(+), 29 deletions(-) diff --git a/sys/fs/cuse/cuse.c b/sys/fs/cuse/cuse.c index b914b2d5017c..8f67c4b5572b 100644 --- a/sys/fs/cuse/cuse.c +++ b/sys/fs/cuse/cuse.c @@ -916,7 +916,7 @@ cuse_proc2proc_copy(struct proc *proc_s, vm_offset_t data_s, }; PHOLD(proc_s); - error = proc_rwmem(proc_s, &uio); + error = proc_rwmem(proc_s, &uio, 0); PRELE(proc_s); } else if (proc_cur == proc_s) { @@ -935,7 +935,7 @@ cuse_proc2proc_copy(struct proc *proc_s, vm_offset_t data_s, }; PHOLD(proc_d); - error = proc_rwmem(proc_d, &uio); + error = proc_rwmem(proc_d, &uio, 0); PRELE(proc_d); } else { error = EINVAL; diff --git a/sys/fs/procfs/procfs_mem.c b/sys/fs/procfs/procfs_mem.c index 0020b8f8a8d8..824fcd33b2ef 100644 --- a/sys/fs/procfs/procfs_mem.c +++ b/sys/fs/procfs/procfs_mem.c @@ -64,7 +64,7 @@ procfs_doprocmem(PFS_FILL_ARGS) error = p_candebug(td, p); PROC_UNLOCK(p); if (error == 0) - error = proc_rwmem(p, uio); + error = proc_rwmem(p, uio, 0); return (error); } diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index c8dc05f0ebbd..47744f6b07fe 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -2360,11 +2360,11 @@ p_candebug(struct thread *td, struct proc *p) } /* - * Can't trace a process that's currently exec'ing. - * - * XXX: Note, this is not a security policy decision, it's a - * basic correctness/functionality decision. Therefore, this check - * should be moved to the caller's of p_candebug(). + * Can't trace a process that's currently exec'ing. Otherwise + * the process vmspace might change, and the target might be + * loading a setugid image. The execve_block(9) and + * proc_vmspace_ref(9) allow to get the stable credentials and + * vmspace reference. */ if ((p->p_flag & P_INEXEC) != 0) return (EBUSY); diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c index 5effc6fbe2d7..81cff03250a9 100644 --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -33,6 +33,7 @@ #include #include +#include #include #include #include @@ -367,25 +368,93 @@ proc_sstep(struct thread *td) return (ptrace_single_step(td)); } +static int +proc_vmspace_check_access(struct thread *td, struct proc *p, int flags) +{ + PROC_ASSERT_HELD(p); + if ((flags & PRVM_CHECK_DEBUG) != 0) + return (p_candebug(td, p)); + if ((flags & PRVM_CHECK_VISIBILITY) != 0) + return (p_cansee(td, p)); + return (0); +} + int -proc_rwmem(struct proc *p, struct uio *uio) +proc_vmspace_ref(struct thread *td, struct proc *p, int flags, + struct vmspace **vmp) +{ + struct vmspace *vm; + int error; + + MPASS((flags & ~(PRVM_BLOCK_EXEC | PRVM_CHECK_VISIBILITY | + PRVM_CHECK_DEBUG)) == 0); + MPASS((flags & (PRVM_CHECK_VISIBILITY | PRVM_CHECK_DEBUG)) != + (PRVM_CHECK_VISIBILITY | PRVM_CHECK_DEBUG)); + + PROC_LOCK(p); + if (p != td->td_proc) { + PROC_ASSERT_HELD(p); + + /* + * Make sure that the vmspace doesn't switch out from + * under us. + */ + if ((flags & PRVM_BLOCK_EXEC) != 0) { + for (;;) { + if (!execve_block(td, p)) { + PROC_LOCK(p); + continue; + } + error = proc_vmspace_check_access(td, p, flags); + if (error != 0) { + execve_unblock(td, p); + PROC_UNLOCK(p); + return (error); + } + break; + } + } else { + error = proc_vmspace_check_access(td, p, flags); + if (error != 0) { + PROC_UNLOCK(p); + return (error); + } + } + } + vm = vmspace_acquire_ref(p); + if (vm == NULL) { + if (p != td->td_proc && (flags & PRVM_BLOCK_EXEC) != 0) + execve_unblock(td, p); + PROC_UNLOCK(p); + return (ESRCH); + } + PROC_UNLOCK(p); + *vmp = vm; + return (0); +} + +void +proc_vmspace_unref(struct thread *td, struct proc *p, int flags, + struct vmspace *vm) +{ + vmspace_free(vm); + if (p != td->td_proc && (flags & PRVM_BLOCK_EXEC) != 0) { + PROC_LOCK(p); + PROC_ASSERT_HELD(p); + execve_unblock(td, p); + PROC_UNLOCK(p); + } +} + +static int +vmspace_rwmem(struct vmspace *vm, struct uio *uio) { vm_map_t map; vm_offset_t pageno; /* page number */ vm_prot_t reqprot; int error, fault_flags, page_offset, writing; - /* - * Make sure that the process' vmspace remains live. - */ - if (p != curproc) - PROC_ASSERT_HELD(p); - PROC_LOCK_ASSERT(p, MA_NOTOWNED); - - /* - * The map we want... - */ - map = &p->p_vmspace->vm_map; + map = &vm->vm_map; /* * If we are writing, then we request vm_fault() to create a private @@ -399,7 +468,7 @@ proc_rwmem(struct proc *p, struct uio *uio) if (writing) { error = priv_check(curthread, PRIV_PROC_MEM_WRITE); if (error != 0) - return (error); + goto out; } /* @@ -457,16 +526,34 @@ proc_rwmem(struct proc *p, struct uio *uio) } while (error == 0 && uio->uio_resid > 0); +out: return (error); } -static ssize_t -proc_iop(struct thread *td, struct proc *p, vm_offset_t va, void *buf, +int +proc_rwmem(struct proc *p, struct uio *uio, int flags) +{ + struct vmspace *vm; + struct thread *td; + int error; + + td = curthread; + error = proc_vmspace_ref(td, p, flags, &vm); + if (error != 0) + return (error); + error = vmspace_rwmem(vm, uio); + proc_vmspace_unref(td, p, flags, vm); + return (error); +} + +ssize_t +vmspace_iop(struct thread *td, struct vmspace *vm, vm_offset_t va, void *buf, size_t len, enum uio_rw rw) { struct iovec iov; struct uio uio; ssize_t slen; + int error; MPASS(len < SSIZE_MAX); slen = (ssize_t)len; @@ -480,8 +567,8 @@ proc_iop(struct thread *td, struct proc *p, vm_offset_t va, void *buf, uio.uio_segflg = UIO_SYSSPACE; uio.uio_rw = rw; uio.uio_td = td; - proc_rwmem(p, &uio); - if (uio.uio_resid == slen) + error = vmspace_rwmem(vm, &uio); + if (error != 0 || uio.uio_resid == slen) return (-1); return (slen - uio.uio_resid); } @@ -491,7 +578,7 @@ proc_readmem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, size_t len) { - return (proc_iop(td, p, va, buf, len, UIO_READ)); + return (vmspace_iop(td, p->p_vmspace, va, buf, len, UIO_READ)); } ssize_t @@ -499,7 +586,7 @@ proc_writemem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, size_t len) { - return (proc_iop(td, p, va, buf, len, UIO_WRITE)); + return (vmspace_iop(td, p->p_vmspace, va, buf, len, UIO_WRITE)); } static int @@ -1492,7 +1579,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) goto out; } PROC_UNLOCK(p); - error = proc_rwmem(p, &uio); + error = proc_rwmem(p, &uio, 0); piod->piod_len -= uio.uio_resid; PROC_LOCK(p); break; diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h index cdde142d0487..2ef52b22044c 100644 --- a/sys/sys/ptrace.h +++ b/sys/sys/ptrace.h @@ -247,7 +247,20 @@ int proc_write_fpregs(struct thread *_td, struct fpreg *_fpreg); int proc_read_dbregs(struct thread *_td, struct dbreg *_dbreg); int proc_write_dbregs(struct thread *_td, struct dbreg *_dbreg); int proc_sstep(struct thread *_td); -int proc_rwmem(struct proc *_p, struct uio *_uio); + +#define PRVM_BLOCK_EXEC 0x00000001 +#define PRVM_CHECK_VISIBILITY 0x00000002 +#define PRVM_CHECK_DEBUG 0x00000004 + +#include +struct vmspace; +int proc_vmspace_ref(struct thread *_td, struct proc *_p, int _flags, + struct vmspace **_vmp); +void proc_vmspace_unref(struct thread *_td, struct proc *_p, int _flags, + struct vmspace *_vm); +ssize_t vmspace_iop(struct thread *td, struct vmspace *vm, vm_offset_t va, + void *buf, size_t len, enum uio_rw rw); +int proc_rwmem(struct proc *_p, struct uio *_uio, int _flags); ssize_t proc_readmem(struct thread *_td, struct proc *_p, vm_offset_t _va, void *_buf, size_t _len); ssize_t proc_writemem(struct thread *_td, struct proc *_p, vm_offset_t _va,