kernel: fix noteid change race condition from devproc while forking (thanks joe7)

devproc allows changing the noteid of another process
which opens a race condition in sysrfork(), when deciding
to inherit the noteid of "up" to the child and calling
pidalloc() later to take the reference, the noteid could
have been changed and the childs noteid could have been
freed already in the process.

this bug can only happen when one writes the /proc/n/noteid
file of a another process than your own that is in the
process of forking.

the noteid changing functionality of devproc seems questinable
and seems to be only used by ape's setpgrid() implementation.

1 files changed, 9 insertions, 3 deletions

diff --git a/sys/src/9/port/sysproc.c b/sys/src/9/port/sysproc.c
index f451e047d..b3b7a0439 100644
--- a/sys/src/9/port/sysproc.c
+++ b/sys/src/9/port/sysproc.c
@@ -79,14 +79,18 @@ sysrfork(va_list list)
 				envcpy(up->egrp, oeg);
 			closeegrp(oeg);
 		}
-		if(flag & RFNOTEG)
-			setnoteid(up, 0);
+		if(flag & RFNOTEG){
+			qlock(&up->debug);
+			setnoteid(up, 0);	/* can't error() with 0 argument */
+			qunlock(&up->debug);
+		}
 		return 0;
 	}
 
 	if((p = newproc()) == nil)
 		error("no procs");
 
+	qlock(&up->debug);
 	qlock(&p->debug);
 
 	p->scallnr = up->scallnr;
@@ -112,7 +116,8 @@ sysrfork(va_list list)
 		p->procctl = Proc_tracesyscall;
 	p->kp = 0;
 
-	/* Craft a return frame which will cause the child to pop out of
+	/*
+	 * Craft a return frame which will cause the child to pop out of
 	 * the scheduler in user mode with the return register zero
 	 */
 	forkchild(p, up->dbgreg);
@@ -132,6 +137,7 @@ sysrfork(va_list list)
 	pid = pidalloc(p);
 
 	qunlock(&p->debug);
+	qunlock(&up->debug);
 
 	/* Abort the child process on error */
 	if(waserror()){