git: 5a91fa5a7656 - main - kern_proc.c: disallow execve around sysctl kern.proc.rlimit

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Sun, 21 Jun 2026 11:48:07 UTC

The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=5a91fa5a7656c99e527fe7e6f6bf6bd9e85ab589

commit 5a91fa5a7656c99e527fe7e6f6bf6bd9e85ab589
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-06-16 04:30:10 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-06-21 11:46:53 +0000

    kern_proc.c: disallow execve around sysctl kern.proc.rlimit
    
    Reviewed by:    markj
    Tested by:      pho
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  htts://reviews.freebsd.org/D57497
---
 sys/kern/kern_proc.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
index f69a65f9d5a1..41e5b6594981 100644
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -2992,8 +2992,9 @@ sysctl_kern_proc_rlimit(SYSCTL_HANDLER_ARGS)
 	u_int namelen = arg2;
 	struct rlimit rlim;
 	struct proc *p;
+	struct thread *td;
 	u_int which;
-	int flags, error;
+	int error;
 
 	if (namelen != 2)
 		return (EINVAL);
@@ -3005,23 +3006,24 @@ sysctl_kern_proc_rlimit(SYSCTL_HANDLER_ARGS)
 	if (req->newptr != NULL && req->newlen != sizeof(rlim))
 		return (EINVAL);
 
-	flags = PGET_HOLD | PGET_NOTWEXIT;
-	if (req->newptr != NULL)
-		flags |= PGET_CANDEBUG;
-	else
-		flags |= PGET_CANSEE;
-	error = pget((pid_t)name[0], flags, &p);
+	td = curthread;
+	error = pget((pid_t)name[0], PGET_NOTWEXIT, &p);
 	if (error != 0)
 		return (error);
+	_PHOLD(p);
+	execve_block_wait(td, p);
+	error = req->newptr != NULL ? p_candebug(td, p) : p_cansee(td, p);
+	if (error != 0)
+		goto errout1;
 
 	/*
 	 * Retrieve limit.
 	 */
 	if (req->oldptr != NULL) {
-		PROC_LOCK(p);
 		lim_rlimit_proc(p, which, &rlim);
-		PROC_UNLOCK(p);
 	}
+	PROC_UNLOCK(p);
+
 	error = SYSCTL_OUT(req, &rlim, sizeof(rlim));
 	if (error != 0)
 		goto errout;
@@ -3036,7 +3038,11 @@ sysctl_kern_proc_rlimit(SYSCTL_HANDLER_ARGS)
 	}
 
 errout:
-	PRELE(p);
+	PROC_LOCK(p);
+errout1:
+	_PRELE(p);
+	execve_unblock(td, p);
+	PROC_UNLOCK(p);
 	return (error);
 }