On Thu, Dec 01, 2022 at 11:28:59AM -0800, Philip Guenther wrote: > On Thu, Dec 1, 2022 at 10:31 AM Vitaliy Makkoveev <m...@openbsd.org> wrote: > ... > > > --- sys/sys/sysctl.h 7 Nov 2022 14:25:44 -0000 1.231 > > +++ sys/sys/sysctl.h 1 Dec 2022 18:15:06 -0000 > > @@ -587,7 +587,7 @@ struct kinfo_vmentry { > > > > #define _FILL_KPROC_MIN(a,b) (((a)<(b))?(a):(b)) > > > > -#define FILL_KPROC(kp, copy_str, p, pr, uc, pg, paddr, \ > > +#define FILL_KPROC(kp, copy_str, p, pr, pg, paddr, \ > > praddr, sess, vm, lim, sa, isthread, show_addresses) \ > > > ... > > > - (kp)->p_svgid = (uc)->cr_svgid; \ > > + PR_LOCK(pr); \ > > + (kp)->p_uid = (pr)->ps_ucred->cr_uid; \ > > > > Nope. As the block comment about this notes, FILL_KPROC() is shared > between the kernel and libkvm and takes each structure pointer separately > as, for example, pr->ps_ucred has the kva address, not the address of the > ucred struct that libkvm has separately read into user memory. > > Now, you _could_ have libkvm update pr->ps_ucred to point to its user-space > copy. However, that would make ucred handling different from the other > sub-structures of struct proc and MOST of those we need the real kva for > the show_address functionality. > > Not sure if this is the yak-shave you want right now... > > (libkvm will obviously also need no-op #defines for PR_LOCK() etc) >
I missed this. Since `ps_ucred' is immutable, we could bump it's reference and use it without holding `ps_mtx': mtx_enter(&pr->ps_mtx); prucred = crhold(pr->ps_ucred); mtx_leave(&pr->ps_mtx); FILL_KPROC(ki, strlcpy, p, pr, prucred, pr->ps_pgrp, ...); crfree(prucred); Otherwise, we could grab `ps_mtx' mutex outside FILL_KPROC(), so dummy PR_LOCK() define will be not required in userland. The diff below follows the first way. Index: sys/kern/kern_acct.c =================================================================== RCS file: /cvs/src/sys/kern/kern_acct.c,v retrieving revision 1.47 diff -u -p -r1.47 kern_acct.c --- sys/kern/kern_acct.c 14 Aug 2022 01:58:27 -0000 1.47 +++ sys/kern/kern_acct.c 1 Dec 2022 19:49:15 -0000 @@ -221,8 +221,10 @@ acct_process(struct proc *p) acct.ac_io = encode_comp_t(r->ru_inblock + r->ru_oublock, 0); /* (6) The UID and GID of the process */ + mtx_enter(&pr->ps_mtx); acct.ac_uid = pr->ps_ucred->cr_ruid; acct.ac_gid = pr->ps_ucred->cr_rgid; + mtx_leave(&pr->ps_mtx); /* (7) The terminal from which the process was started */ if ((pr->ps_flags & PS_CONTROLT) && Index: sys/kern/kern_exec.c =================================================================== RCS file: /cvs/src/sys/kern/kern_exec.c,v retrieving revision 1.240 diff -u -p -r1.240 kern_exec.c --- sys/kern/kern_exec.c 23 Nov 2022 11:00:27 -0000 1.240 +++ sys/kern/kern_exec.c 1 Dec 2022 19:49:15 -0000 @@ -649,9 +649,11 @@ sys_execve(struct proc *p, void *v, regi if (pr->ps_ucred != cred) { struct ucred *ocred; - ocred = pr->ps_ucred; crhold(cred); + mtx_enter(&pr->ps_mtx); + ocred = pr->ps_ucred; pr->ps_ucred = cred; + mtx_leave(&pr->ps_mtx); crfree(ocred); } Index: sys/kern/kern_exit.c =================================================================== RCS file: /cvs/src/sys/kern/kern_exit.c,v retrieving revision 1.207 diff -u -p -r1.207 kern_exit.c --- sys/kern/kern_exit.c 3 Nov 2022 04:56:47 -0000 1.207 +++ sys/kern/kern_exit.c 1 Dec 2022 19:49:15 -0000 @@ -494,7 +494,9 @@ loop: *retval = pr->ps_pid; if (info != NULL) { info->si_pid = pr->ps_pid; + mtx_enter(&pr->ps_mtx); info->si_uid = pr->ps_ucred->cr_uid; + mtx_leave(&pr->ps_mtx); info->si_signo = SIGCHLD; if (pr->ps_xsig == 0) { info->si_code = CLD_EXITED; @@ -530,7 +532,9 @@ loop: *retval = pr->ps_pid; if (info != NULL) { info->si_pid = pr->ps_pid; + mtx_enter(&pr->ps_mtx); info->si_uid = pr->ps_ucred->cr_uid; + mtx_leave(&pr->ps_mtx); info->si_signo = SIGCHLD; info->si_code = CLD_TRAPPED; info->si_status = pr->ps_xsig; @@ -553,7 +557,9 @@ loop: *retval = pr->ps_pid; if (info != 0) { info->si_pid = pr->ps_pid; + mtx_enter(&pr->ps_mtx); info->si_uid = pr->ps_ucred->cr_uid; + mtx_leave(&pr->ps_mtx); info->si_signo = SIGCHLD; info->si_code = CLD_STOPPED; info->si_status = pr->ps_xsig; @@ -572,7 +578,9 @@ loop: *retval = pr->ps_pid; if (info != NULL) { info->si_pid = pr->ps_pid; + mtx_enter(&pr->ps_mtx); info->si_uid = pr->ps_ucred->cr_uid; + mtx_leave(&pr->ps_mtx); info->si_signo = SIGCHLD; info->si_code = CLD_CONTINUED; info->si_status = SIGCONT; Index: sys/kern/kern_ktrace.c =================================================================== RCS file: /cvs/src/sys/kern/kern_ktrace.c,v retrieving revision 1.108 diff -u -p -r1.108 kern_ktrace.c --- sys/kern/kern_ktrace.c 14 Aug 2022 01:58:27 -0000 1.108 +++ sys/kern/kern_ktrace.c 1 Dec 2022 19:49:15 -0000 @@ -693,7 +693,12 @@ int ktrcanset(struct proc *callp, struct process *targetpr) { struct ucred *caller = callp->p_ucred; - struct ucred *target = targetpr->ps_ucred; + struct ucred *target; + int ret = 0; + + mtx_enter(&targetpr->ps_mtx); + + target = targetpr->ps_ucred; if ((caller->cr_uid == target->cr_ruid && target->cr_ruid == target->cr_svuid && @@ -702,7 +707,9 @@ ktrcanset(struct proc *callp, struct pro (targetpr->ps_traceflag & KTRFAC_ROOT) == 0 && !ISSET(targetpr->ps_flags, PS_SUGID)) || caller->cr_uid == 0) - return (1); + ret = 1; + + mtx_leave(&targetpr->ps_mtx); - return (0); + return (ret); } Index: sys/kern/kern_proc.c =================================================================== RCS file: /cvs/src/sys/kern/kern_proc.c,v retrieving revision 1.92 diff -u -p -r1.92 kern_proc.c --- sys/kern/kern_proc.c 14 Aug 2022 01:58:27 -0000 1.92 +++ sys/kern/kern_proc.c 1 Dec 2022 19:49:15 -0000 @@ -583,6 +583,7 @@ db_show_all_procs(db_expr_t addr, int ha break; case 'n': + mtx_enter(&pr->ps_mtx); db_printf("%6d %5d %5d %d %#10x " "%-12.12s %-15s\n", p->p_tid, ppr ? ppr->ps_pid : -1, @@ -590,6 +591,7 @@ db_show_all_procs(db_expr_t addr, int ha p->p_flag | pr->ps_flags, (p->p_wchan && p->p_wmesg) ? p->p_wmesg : "", pr->ps_comm); + mtx_leave(&pr->ps_mtx); break; case 'w': @@ -602,6 +604,7 @@ db_show_all_procs(db_expr_t addr, int ha break; case 'o': + mtx_enter(&pr->ps_mtx); db_printf("%5d %5d %#10x %#10x %3d" "%c %-31s\n", pr->ps_pid, pr->ps_ucred->cr_ruid, @@ -609,6 +612,7 @@ db_show_all_procs(db_expr_t addr, int ha CPU_INFO_UNIT(p->p_cpu), has_kernel_lock ? 'K' : ' ', pr->ps_comm); + mtx_leave(&pr->ps_mtx); break; } Index: sys/kern/kern_prot.c =================================================================== RCS file: /cvs/src/sys/kern/kern_prot.c,v retrieving revision 1.80 diff -u -p -r1.80 kern_prot.c --- sys/kern/kern_prot.c 14 Aug 2022 01:58:27 -0000 1.80 +++ sys/kern/kern_prot.c 1 Dec 2022 19:49:15 -0000 @@ -351,12 +351,16 @@ sys_setresuid(struct proc *p, void *v, r struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; uid_t ruid, euid, suid; - int error; + int error = 0; ruid = SCARG(uap, ruid); euid = SCARG(uap, euid); suid = SCARG(uap, suid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + /* * make permission checks against the thread's ucred, * but the actual changes will be to the process's ucred @@ -365,7 +369,7 @@ sys_setresuid(struct proc *p, void *v, r if ((ruid == (uid_t)-1 || ruid == pruc->cr_ruid) && (euid == (uid_t)-1 || euid == pruc->cr_uid) && (suid == (uid_t)-1 || suid == pruc->cr_svuid)) - return (0); /* no change */ + goto error; /* no change */ /* * Any of the real, effective, and saved uids may be changed @@ -376,28 +380,25 @@ sys_setresuid(struct proc *p, void *v, r ruid != uc->cr_uid && ruid != uc->cr_svuid && (error = suser(p))) - return (error); + goto error; if (euid != (uid_t)-1 && euid != uc->cr_ruid && euid != uc->cr_uid && euid != uc->cr_svuid && (error = suser(p))) - return (error); + goto error; if (suid != (uid_t)-1 && suid != uc->cr_ruid && suid != uc->cr_uid && suid != uc->cr_svuid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); - pruc = pr->ps_ucred; crset(newcred, pruc); /* @@ -411,6 +412,9 @@ sys_setresuid(struct proc *p, void *v, r if (suid != (uid_t)-1) newcred->cr_svuid = suid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); /* now that we can sleep, transfer proc count to new user */ @@ -421,6 +425,12 @@ sys_setresuid(struct proc *p, void *v, r crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -460,12 +470,16 @@ sys_setresgid(struct proc *p, void *v, r struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; gid_t rgid, egid, sgid; - int error; + int error = 0; rgid = SCARG(uap, rgid); egid = SCARG(uap, egid); sgid = SCARG(uap, sgid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + /* * make permission checks against the thread's ucred, * but the actual changes will be to the process's ucred @@ -474,7 +488,7 @@ sys_setresgid(struct proc *p, void *v, r if ((rgid == (gid_t)-1 || rgid == pruc->cr_rgid) && (egid == (gid_t)-1 || egid == pruc->cr_gid) && (sgid == (gid_t)-1 || sgid == pruc->cr_svgid)) - return (0); /* no change */ + goto error; /* no change */ /* * Any of the real, effective, and saved gids may be changed @@ -485,28 +499,25 @@ sys_setresgid(struct proc *p, void *v, r rgid != uc->cr_gid && rgid != uc->cr_svgid && (error = suser(p))) - return (error); + goto error; if (egid != (gid_t)-1 && egid != uc->cr_rgid && egid != uc->cr_gid && egid != uc->cr_svgid && (error = suser(p))) - return (error); + goto error; if (sgid != (gid_t)-1 && sgid != uc->cr_rgid && sgid != uc->cr_gid && sgid != uc->cr_svgid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); - pruc = pr->ps_ucred; crset(newcred, pruc); /* @@ -520,9 +531,18 @@ sys_setresgid(struct proc *p, void *v, r if (sgid != (gid_t)-1) newcred->cr_svgid = sgid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -535,11 +555,15 @@ sys_setregid(struct proc *p, void *v, re struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; gid_t rgid, egid; - int error; + int error = 0; rgid = SCARG(uap, rgid); egid = SCARG(uap, egid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + /* * make permission checks against the thread's ucred, * but the actual changes will be to the process's ucred @@ -556,7 +580,7 @@ sys_setregid(struct proc *p, void *v, re (egid == (gid_t)-1 || egid == pruc->cr_gid) && (rgid == (gid_t)-1 || (rgid == pruc->cr_rgid && pruc->cr_svgid == (egid != (gid_t)-1 ? egid : pruc->cr_gid)))) - return (0); /* no change */ + goto error; /* no change */ /* * Any of the real, effective, and saved gids may be changed @@ -567,21 +591,18 @@ sys_setregid(struct proc *p, void *v, re rgid != uc->cr_gid && rgid != uc->cr_svgid && (error = suser(p))) - return (error); + goto error; if (egid != (gid_t)-1 && egid != uc->cr_rgid && egid != uc->cr_gid && egid != uc->cr_svgid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); - pruc = pr->ps_ucred; crset(newcred, pruc); if (rgid != (gid_t)-1) @@ -599,9 +620,18 @@ sys_setregid(struct proc *p, void *v, re pruc->cr_svgid != (egid != (gid_t)-1 ? egid : pruc->cr_gid))) newcred->cr_svgid = rgid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -614,11 +644,15 @@ sys_setreuid(struct proc *p, void *v, re struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; uid_t ruid, euid; - int error; + int error = 0; ruid = SCARG(uap, ruid); euid = SCARG(uap, euid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + /* * make permission checks against the thread's ucred, * but the actual changes will be to the process's ucred @@ -635,7 +669,7 @@ sys_setreuid(struct proc *p, void *v, re (euid == (uid_t)-1 || euid == pruc->cr_uid) && (ruid == (uid_t)-1 || (ruid == pruc->cr_ruid && pruc->cr_svuid == (euid != (uid_t)-1 ? euid : pruc->cr_uid)))) - return (0); /* no change */ + goto error; /* no change */ /* * Any of the real, effective, and saved uids may be changed @@ -646,21 +680,18 @@ sys_setreuid(struct proc *p, void *v, re ruid != uc->cr_uid && ruid != uc->cr_svuid && (error = suser(p))) - return (error); + goto error; if (euid != (uid_t)-1 && euid != uc->cr_ruid && euid != uc->cr_uid && euid != uc->cr_svuid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); - pruc = pr->ps_ucred; crset(newcred, pruc); if (ruid != (uid_t)-1) @@ -678,6 +709,9 @@ sys_setreuid(struct proc *p, void *v, re pruc->cr_svuid != (euid != (uid_t)-1 ? euid : pruc->cr_uid))) newcred->cr_svuid = ruid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); /* now that we can sleep, transfer proc count to new user */ @@ -688,6 +722,12 @@ sys_setreuid(struct proc *p, void *v, re crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -699,28 +739,29 @@ sys_setuid(struct proc *p, void *v, regi struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; uid_t uid; - int did_real, error; + int did_real, error = 0; uid = SCARG(uap, uid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + pruc = pr->ps_ucred; if (pruc->cr_uid == uid && pruc->cr_ruid == uid && pruc->cr_svuid == uid) - return (0); + goto error; if (uid != uc->cr_ruid && uid != uc->cr_svuid && uid != uc->cr_uid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); - pruc = pr->ps_ucred; crset(newcred, pruc); /* @@ -734,6 +775,9 @@ sys_setuid(struct proc *p, void *v, regi did_real = 0; newcred->cr_uid = uid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); /* @@ -746,6 +790,12 @@ sys_setuid(struct proc *p, void *v, regi crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -757,29 +807,40 @@ sys_seteuid(struct proc *p, void *v, reg struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; uid_t euid; - int error; + int error = 0; euid = SCARG(uap, euid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + if (pr->ps_ucred->cr_uid == euid) - return (0); + goto error; if (euid != uc->cr_ruid && euid != uc->cr_svuid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); pruc = pr->ps_ucred; crset(newcred, pruc); newcred->cr_uid = euid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -791,28 +852,29 @@ sys_setgid(struct proc *p, void *v, regi struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; gid_t gid; - int error; + int error = 0; gid = SCARG(uap, gid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + pruc = pr->ps_ucred; if (pruc->cr_gid == gid && pruc->cr_rgid == gid && pruc->cr_svgid == gid) - return (0); + goto error; if (gid != uc->cr_rgid && gid != uc->cr_svgid && gid != uc->cr_gid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); - pruc = pr->ps_ucred; crset(newcred, pruc); if (gid == pruc->cr_gid || suser(p) == 0) { @@ -821,9 +883,18 @@ sys_setgid(struct proc *p, void *v, regi } newcred->cr_gid = gid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -835,29 +906,40 @@ sys_setegid(struct proc *p, void *v, reg struct process *pr = p->p_p; struct ucred *pruc, *newcred, *uc = p->p_ucred; gid_t egid; - int error; + int error = 0; egid = SCARG(uap, egid); + newcred = crget(); + + mtx_enter(&pr->ps_mtx); + if (pr->ps_ucred->cr_gid == egid) - return (0); + goto error; if (egid != uc->cr_rgid && egid != uc->cr_svgid && (error = suser(p))) - return (error); + goto error; /* * Copy credentials so other references do not see our changes. - * ps_ucred may change during the crget(). */ - newcred = crget(); pruc = pr->ps_ucred; crset(newcred, pruc); newcred->cr_gid = egid; pr->ps_ucred = newcred; + + mtx_leave(&pr->ps_mtx); + atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); crfree(pruc); return (0); + +error: + mtx_leave(&pr->ps_mtx); + crfree(newcred); + + return (error); } int @@ -881,11 +963,13 @@ sys_setgroups(struct proc *p, void *v, r error = copyin(SCARG(uap, gidset), groups, ngrp * sizeof(gid_t)); if (error == 0) { newcred = crget(); + mtx_enter(&pr->ps_mtx); pruc = pr->ps_ucred; crset(newcred, pruc); memcpy(newcred->cr_groups, groups, ngrp * sizeof(gid_t)); newcred->cr_ngroups = ngrp; pr->ps_ucred = newcred; + mtx_leave(&pr->ps_mtx); atomic_setbits_int(&p->p_p->ps_flags, PS_SUGID); crfree(pruc); } @@ -1120,10 +1204,12 @@ dorefreshcreds(struct process *pr, struc struct ucred *uc = p->p_ucred; KERNEL_LOCK(); /* XXX should be PROCESS_RLOCK(pr) */ + mtx_enter(&pr->ps_mtx); if (uc != pr->ps_ucred) { p->p_ucred = pr->ps_ucred; crhold(p->p_ucred); crfree(uc); } + mtx_leave(&pr->ps_mtx); KERNEL_UNLOCK(); } Index: sys/kern/kern_resource.c =================================================================== RCS file: /cvs/src/sys/kern/kern_resource.c,v retrieving revision 1.76 diff -u -p -r1.76 kern_resource.c --- sys/kern/kern_resource.c 17 Nov 2022 18:53:13 -0000 1.76 +++ sys/kern/kern_resource.c 1 Dec 2022 19:49:15 -0000 @@ -122,10 +122,13 @@ sys_getpriority(struct proc *curp, void case PRIO_USER: if (SCARG(uap, who) == 0) SCARG(uap, who) = curp->p_ucred->cr_uid; - LIST_FOREACH(pr, &allprocess, ps_list) + LIST_FOREACH(pr, &allprocess, ps_list) { + mtx_enter(&pr->ps_mtx); if (pr->ps_ucred->cr_uid == SCARG(uap, who) && pr->ps_nice < low) low = pr->ps_nice; + mtx_leave(&pr->ps_mtx); + } break; default: @@ -178,11 +181,14 @@ sys_setpriority(struct proc *curp, void case PRIO_USER: if (SCARG(uap, who) == 0) SCARG(uap, who) = curp->p_ucred->cr_uid; - LIST_FOREACH(pr, &allprocess, ps_list) + LIST_FOREACH(pr, &allprocess, ps_list) { + mtx_enter(&pr->ps_mtx); if (pr->ps_ucred->cr_uid == SCARG(uap, who)) { error = donice(curp, pr, SCARG(uap, prio)); found = 1; } + mtx_leave(&pr->ps_mtx); + } break; default: @@ -200,10 +206,15 @@ donice(struct proc *curp, struct process struct proc *p; int s; + mtx_enter(&chgpr->ps_mtx); if (ucred->cr_uid != 0 && ucred->cr_ruid != 0 && ucred->cr_uid != chgpr->ps_ucred->cr_uid && - ucred->cr_ruid != chgpr->ps_ucred->cr_uid) + ucred->cr_ruid != chgpr->ps_ucred->cr_uid) { + mtx_leave(&chgpr->ps_mtx); return (EPERM); + } + mtx_leave(&chgpr->ps_mtx); + if (n > PRIO_MAX) n = PRIO_MAX; if (n < PRIO_MIN) Index: sys/kern/kern_sig.c =================================================================== RCS file: /cvs/src/sys/kern/kern_sig.c,v retrieving revision 1.301 diff -u -p -r1.301 kern_sig.c --- sys/kern/kern_sig.c 16 Oct 2022 16:27:02 -0000 1.301 +++ sys/kern/kern_sig.c 1 Dec 2022 19:49:15 -0000 @@ -149,7 +149,8 @@ cansignal(struct proc *p, struct process { struct process *pr = p->p_p; struct ucred *uc = p->p_ucred; - struct ucred *quc = qr->ps_ucred; + struct ucred *quc; + int ret = 0; if (uc->cr_uid == 0) return (1); /* root can always signal */ @@ -157,12 +158,20 @@ cansignal(struct proc *p, struct process if (pr == qr) return (1); /* process can always signal itself */ + mtx_enter(&qr->ps_mtx); + + quc = qr->ps_ucred; + /* optimization: if the same creds then the tests below will pass */ - if (uc == quc) - return (1); + if (uc == quc) { + ret = 1; + goto out; + } - if (signum == SIGCONT && qr->ps_session == pr->ps_session) - return (1); /* SIGCONT in session */ + if (signum == SIGCONT && qr->ps_session == pr->ps_session) { + ret = 1; /* SIGCONT in session */ + goto out; + } /* * Using kill(), only certain signals can be sent to setugid @@ -184,17 +193,20 @@ cansignal(struct proc *p, struct process case SIGUSR2: if (uc->cr_ruid == quc->cr_ruid || uc->cr_uid == quc->cr_ruid) - return (1); + ret = 1; } - return (0); + goto out; } if (uc->cr_ruid == quc->cr_ruid || uc->cr_ruid == quc->cr_svuid || uc->cr_uid == quc->cr_ruid || uc->cr_uid == quc->cr_svuid) - return (1); - return (0); + ret = 1; + +out: + mtx_leave(&qr->ps_mtx); + return (ret); } /* @@ -755,13 +767,17 @@ pgsigio(struct sigio_ref *sir, int sig, if (sigio == NULL) goto out; if (sigio->sio_pgid > 0) { + mtx_enter(&sigio->sio_proc->ps_mtx); if (CANSIGIO(sigio->sio_ucred, sigio->sio_proc)) prsignal(sigio->sio_proc, sig); + mtx_leave(&sigio->sio_proc->ps_mtx); } else if (sigio->sio_pgid < 0) { LIST_FOREACH(pr, &sigio->sio_pgrp->pg_members, ps_pglist) { + mtx_enter(&pr->ps_mtx); if (CANSIGIO(sigio->sio_ucred, pr) && (checkctty == 0 || (pr->ps_flags & PS_CONTROLT))) prsignal(pr, sig); + mtx_leave(&pr->ps_mtx); } } out: Index: sys/kern/kern_sysctl.c =================================================================== RCS file: /cvs/src/sys/kern/kern_sysctl.c,v retrieving revision 1.408 diff -u -p -r1.408 kern_sysctl.c --- sys/kern/kern_sysctl.c 7 Nov 2022 14:25:44 -0000 1.408 +++ sys/kern/kern_sysctl.c 1 Dec 2022 19:49:15 -0000 @@ -1303,8 +1303,10 @@ fill_file(struct kinfo_file *kf, struct /* per-process information for KERN_FILE_BY[PU]ID */ if (pr != NULL) { kf->p_pid = pr->ps_pid; + mtx_enter(&pr->ps_mtx); kf->p_uid = pr->ps_ucred->cr_uid; kf->p_gid = pr->ps_ucred->cr_gid; + mtx_leave(&pr->ps_mtx); kf->p_tid = -1; strlcpy(kf->p_comm, pr->ps_comm, sizeof(kf->p_comm)); } @@ -1457,10 +1459,13 @@ sysctl_file(int *name, u_int namelen, ch */ if (pr->ps_flags & (PS_SYSTEM | PS_EMBRYO | PS_EXITING)) continue; + mtx_enter(&pr->ps_mtx); if (arg >= 0 && pr->ps_ucred->cr_uid != (uid_t)arg) { + mtx_leave(&pr->ps_mtx); /* not the uid we are looking for */ continue; } + mtx_leave(&pr->ps_mtx); fdp = pr->ps_fd; if (fdp->fd_cdir) FILLIT(NULL, NULL, KERN_FILE_CDIR, fdp->fd_cdir, pr); @@ -1575,13 +1580,21 @@ again: break; case KERN_PROC_UID: - if (pr->ps_ucred->cr_uid != (uid_t)arg) + mtx_enter(&pr->ps_mtx); + if (pr->ps_ucred->cr_uid != (uid_t)arg) { + mtx_leave(&pr->ps_mtx); continue; + } + mtx_leave(&pr->ps_mtx); break; case KERN_PROC_RUID: - if (pr->ps_ucred->cr_ruid != (uid_t)arg) + mtx_enter(&pr->ps_mtx); + if (pr->ps_ucred->cr_ruid != (uid_t)arg) { + mtx_leave(&pr->ps_mtx); continue; + } + mtx_leave(&pr->ps_mtx); break; case KERN_PROC_ALL: @@ -1658,15 +1671,21 @@ fill_kproc(struct process *pr, struct ki struct tty *tp; struct vmspace *vm = pr->ps_vmspace; struct timespec booted, st, ut, utc; + struct ucred *prucred; int isthread; isthread = p != NULL; if (!isthread) p = pr->ps_mainproc; /* XXX */ - FILL_KPROC(ki, strlcpy, p, pr, pr->ps_ucred, pr->ps_pgrp, + mtx_enter(&pr->ps_mtx); + prucred = crhold(pr->ps_ucred); + mtx_leave(&pr->ps_mtx); + + FILL_KPROC(ki, strlcpy, p, pr, prucred, pr->ps_pgrp, p, pr, s, vm, pr->ps_limit, pr->ps_sigacts, isthread, show_pointers); + crfree(prucred); /* stuff that's too painful to generalize into the macros */ if (pr->ps_pptr) @@ -1781,11 +1800,15 @@ sysctl_proc_args(int *name, u_int namele if ((vpr->ps_flags & PS_INEXEC)) return (EBUSY); + mtx_enter(&vpr->ps_mtx); /* Only owner or root can get env */ if ((op == KERN_PROC_NENV || op == KERN_PROC_ENV) && (vpr->ps_ucred->cr_uid != cp->p_ucred->cr_uid && - (error = suser(cp)) != 0)) + (error = suser(cp)) != 0)) { + mtx_leave(&vpr->ps_mtx); return (error); + } + mtx_leave(&vpr->ps_mtx); ps_strings = vpr->ps_strings; vm = vpr->ps_vmspace; @@ -1966,9 +1989,13 @@ sysctl_proc_cwd(int *name, u_int namelen return (EINVAL); /* Only owner or root can get cwd */ + mtx_enter(&findpr->ps_mtx); if (findpr->ps_ucred->cr_uid != cp->p_ucred->cr_uid && - (error = suser(cp)) != 0) + (error = suser(cp)) != 0) { + mtx_leave(&findpr->ps_mtx); return (error); + } + mtx_leave(&findpr->ps_mtx); len = *oldlenp; if (len > MAXPATHLEN * 4) Index: sys/kern/sys_process.c =================================================================== RCS file: /cvs/src/sys/kern/sys_process.c,v retrieving revision 1.89 diff -u -p -r1.89 sys_process.c --- sys/kern/sys_process.c 7 Dec 2021 04:19:24 -0000 1.89 +++ sys/kern/sys_process.c 1 Dec 2022 19:49:15 -0000 @@ -376,10 +376,14 @@ ptrace_ctrl(struct proc *p, int req, pid * process which revokes its special privileges using * setuid() from being traced. This is good security.] */ + mtx_enter(&tr->ps_mtx); if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid || ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) && - (error = suser(p)) != 0) + (error = suser(p)) != 0) { + mtx_leave(&tr->ps_mtx); goto fail; + } + mtx_leave(&tr->ps_mtx); /* * (5.5) it's not a child of the tracing process. @@ -822,10 +826,14 @@ process_checkioperm(struct proc *p, stru { int error; + mtx_enter(&tr->ps_mtx); if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid || ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) && - (error = suser(p)) != 0) + (error = suser(p)) != 0) { + mtx_leave(&tr->ps_mtx); return (error); + } + mtx_leave(&tr->ps_mtx); if ((tr->ps_pid == 1) && (securelevel > -1)) return (EPERM); Index: sys/kern/syscalls.c =================================================================== RCS file: /cvs/src/sys/kern/syscalls.c,v retrieving revision 1.252 diff -u -p -r1.252 syscalls.c --- sys/kern/syscalls.c 30 Nov 2022 10:21:29 -0000 1.252 +++ sys/kern/syscalls.c 1 Dec 2022 19:49:15 -0000 @@ -1,4 +1,4 @@ -/* $OpenBSD: syscalls.c,v 1.252 2022/11/30 10:21:29 mvs Exp $ */ +/* $OpenBSD$ */ /* * System call names. Index: sys/kern/syscalls.master =================================================================== RCS file: /cvs/src/sys/kern/syscalls.master,v retrieving revision 1.237 diff -u -p -r1.237 syscalls.master --- sys/kern/syscalls.master 30 Nov 2022 10:20:37 -0000 1.237 +++ sys/kern/syscalls.master 1 Dec 2022 19:49:15 -0000 @@ -79,7 +79,7 @@ 21 STD { int sys_mount(const char *type, const char *path, \ int flags, void *data); } 22 STD { int sys_unmount(const char *path, int flags); } -23 STD { int sys_setuid(uid_t uid); } +23 STD NOLOCK { int sys_setuid(uid_t uid); } 24 STD NOLOCK { uid_t sys_getuid(void); } 25 STD NOLOCK { uid_t sys_geteuid(void); } #ifdef PTRACE @@ -184,7 +184,7 @@ int flags, int fd, off_t pos); } 79 STD NOLOCK { int sys_getgroups(int gidsetsize, \ gid_t *gidset); } -80 STD { int sys_setgroups(int gidsetsize, \ +80 STD NOLOCK { int sys_setgroups(int gidsetsize, \ const gid_t *gidset); } 81 STD { int sys_getpgrp(void); } 82 STD { int sys_setpgid(pid_t pid, pid_t pgid); } @@ -260,8 +260,8 @@ 123 STD { int sys_fchown(int fd, uid_t uid, gid_t gid); } 124 STD { int sys_fchmod(int fd, mode_t mode); } 125 OBSOL orecvfrom -126 STD { int sys_setreuid(uid_t ruid, uid_t euid); } -127 STD { int sys_setregid(gid_t rgid, gid_t egid); } +126 STD NOLOCK { int sys_setreuid(uid_t ruid, uid_t euid); } +127 STD NOLOCK { int sys_setregid(gid_t rgid, gid_t egid); } 128 STD { int sys_rename(const char *from, const char *to); } 129 OBSOL otruncate 130 OBSOL oftruncate @@ -340,9 +340,9 @@ 180 UNIMPL ; Syscalls 181-199 are used by/reserved for BSD -181 STD { int sys_setgid(gid_t gid); } -182 STD { int sys_setegid(gid_t egid); } -183 STD { int sys_seteuid(uid_t euid); } +181 STD NOLOCK { int sys_setgid(gid_t gid); } +182 STD NOLOCK { int sys_setegid(gid_t egid); } +183 STD NOLOCK { int sys_seteuid(uid_t euid); } 184 OBSOL lfs_bmapv 185 OBSOL lfs_markv 186 OBSOL lfs_segclean @@ -484,11 +484,11 @@ 280 UNIMPL sys_extattr_delete_fd 281 STD NOLOCK { int sys_getresuid(uid_t *ruid, uid_t *euid, \ uid_t *suid); } -282 STD { int sys_setresuid(uid_t ruid, uid_t euid, \ +282 STD NOLOCK { int sys_setresuid(uid_t ruid, uid_t euid, \ uid_t suid); } 283 STD NOLOCK { int sys_getresgid(gid_t *rgid, gid_t *egid, \ gid_t *sgid); } -284 STD { int sys_setresgid(gid_t rgid, gid_t egid, \ +284 STD NOLOCK { int sys_setresgid(gid_t rgid, gid_t egid, \ gid_t sgid); } 285 OBSOL sys_omquery 286 STD { void *sys_pad_mquery(void *addr, size_t len, \ Index: sys/sys/proc.h =================================================================== RCS file: /cvs/src/sys/sys/proc.h,v retrieving revision 1.335 diff -u -p -r1.335 proc.h --- sys/sys/proc.h 23 Nov 2022 11:00:27 -0000 1.335 +++ sys/sys/proc.h 1 Dec 2022 19:49:15 -0000 @@ -135,7 +135,7 @@ struct process { * some signal and ptrace behaviors that need to be fixed. */ struct proc *ps_mainproc; - struct ucred *ps_ucred; /* Process owner's identity. */ + struct ucred *ps_ucred; /* [m] Process owner's identity. */ LIST_ENTRY(process) ps_list; /* List of all processes. */ TAILQ_HEAD(,proc) ps_threads; /* [K|S] Threads in this process. */ Index: sys/sys/syscall.h =================================================================== RCS file: /cvs/src/sys/sys/syscall.h,v retrieving revision 1.251 diff -u -p -r1.251 syscall.h --- sys/sys/syscall.h 30 Nov 2022 10:21:29 -0000 1.251 +++ sys/sys/syscall.h 1 Dec 2022 19:49:15 -0000 @@ -1,4 +1,4 @@ -/* $OpenBSD: syscall.h,v 1.251 2022/11/30 10:21:29 mvs Exp $ */ +/* $OpenBSD$ */ /* * System call numbers. Index: sys/sys/syscallargs.h =================================================================== RCS file: /cvs/src/sys/sys/syscallargs.h,v retrieving revision 1.254 diff -u -p -r1.254 syscallargs.h --- sys/sys/syscallargs.h 30 Nov 2022 10:21:29 -0000 1.254 +++ sys/sys/syscallargs.h 1 Dec 2022 19:49:15 -0000 @@ -1,4 +1,4 @@ -/* $OpenBSD: syscallargs.h,v 1.254 2022/11/30 10:21:29 mvs Exp $ */ +/* $OpenBSD$ */ /* * System call argument lists.