git: 836749817036 - main - kern_resource.c: disallow execve around sysctl kern.proc.rlimitusage
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 21 Jun 2026 11:48:09 UTC
The branch main has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=836749817036b90b60af0584fa21f2d9dbd60ff7
commit 836749817036b90b60af0584fa21f2d9dbd60ff7
Author: Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-06-16 04:34:16 +0000
Commit: Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-06-21 11:46:53 +0000
kern_resource.c: disallow execve around sysctl kern.proc.rlimitusage
Reviewed by: markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: htts://reviews.freebsd.org/D57497
---
sys/kern/kern_resource.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
index 95c4e7d5eead..044e95fa64a0 100644
--- a/sys/kern/kern_resource.c
+++ b/sys/kern/kern_resource.c
@@ -46,6 +46,7 @@
#include <sys/mutex.h>
#include <sys/priv.h>
#include <sys/proc.h>
+#include <sys/ptrace.h>
#include <sys/refcount.h>
#include <sys/racct.h>
#include <sys/resourcevar.h>
@@ -823,11 +824,11 @@ sys_getrlimit(struct thread *td, struct getrlimit_args *uap)
}
static int
-getrlimitusage_one(struct proc *p, u_int which, int flags, rlim_t *res)
+getrlimitusage_one(struct proc *p, struct vmspace *vm, u_int which, int flags,
+ rlim_t *res)
{
struct thread *td;
struct uidinfo *ui;
- struct vmspace *vm;
uid_t uid;
int error;
@@ -838,7 +839,6 @@ getrlimitusage_one(struct proc *p, u_int which, int flags, rlim_t *res)
PROC_UNLOCK(p);
ui = uifind(uid);
- vm = vmspace_acquire_ref(p);
switch (which) {
case RLIMIT_CPU:
@@ -919,7 +919,6 @@ getrlimitusage_one(struct proc *p, u_int which, int flags, rlim_t *res)
break;
}
- vmspace_free(vm);
uifree(ui);
return (error);
}
@@ -927,12 +926,15 @@ getrlimitusage_one(struct proc *p, u_int which, int flags, rlim_t *res)
int
sys_getrlimitusage(struct thread *td, struct getrlimitusage_args *uap)
{
+ struct proc *p;
rlim_t res;
int error;
if ((uap->flags & ~(GETRLIMITUSAGE_EUID)) != 0)
return (EINVAL);
- error = getrlimitusage_one(curproc, uap->which, uap->flags, &res);
+ p = curproc;
+ error = getrlimitusage_one(p, p->p_vmspace, uap->which, uap->flags,
+ &res);
if (error == 0)
error = copyout(&res, uap->res, sizeof(res));
return (error);
@@ -1797,6 +1799,8 @@ sysctl_kern_proc_rlimit_usage(SYSCTL_HANDLER_ARGS)
{
rlim_t resval[RLIM_NLIMITS];
struct proc *p;
+ struct thread *td;
+ struct vmspace *vm;
size_t len;
int error, *name, i;
@@ -1806,15 +1810,20 @@ sysctl_kern_proc_rlimit_usage(SYSCTL_HANDLER_ARGS)
if (req->newptr != NULL)
return (EINVAL);
- error = pget((pid_t)name[0], PGET_WANTREAD, &p);
+ td = curthread;
+ error = pget((pid_t)name[0], PGET_HOLD | PGET_NOTWEXIT, &p);
if (error != 0)
return (error);
+ error = proc_vmspace_ref(td, p, PRVM_BLOCK_EXEC |
+ PRVM_CHECK_VISIBILITY, &vm);
+ if (error != 0)
+ goto out;
if ((u_int)arg2 == 1) {
len = sizeof(resval);
memset(resval, 0, sizeof(resval));
for (i = 0; i < RLIM_NLIMITS; i++) {
- error = getrlimitusage_one(p, (unsigned)i, 0,
+ error = getrlimitusage_one(p, vm, (unsigned)i, 0,
&resval[i]);
if (error == ENXIO) {
resval[i] = -1;
@@ -1825,7 +1834,7 @@ sysctl_kern_proc_rlimit_usage(SYSCTL_HANDLER_ARGS)
}
} else {
len = sizeof(resval[0]);
- error = getrlimitusage_one(p, (unsigned)name[1], 0,
+ error = getrlimitusage_one(p, vm, (unsigned)name[1], 0,
&resval[0]);
if (error == ENXIO) {
resval[0] = -1;
@@ -1834,6 +1843,8 @@ sysctl_kern_proc_rlimit_usage(SYSCTL_HANDLER_ARGS)
}
if (error == 0)
error = SYSCTL_OUT(req, resval, len);
+ proc_vmspace_unref(td, p, PRVM_BLOCK_EXEC | PRVM_CHECK_VISIBILITY, vm);
+out:
PRELE(p);
return (error);
}