From ncb@diginix.net  Tue Nov  3 23:25:04 1998
Received: from diginix.net (diginix.net [206.222.176.14])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA07094
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 3 Nov 1998 23:24:59 -0800 (PST)
          (envelope-from ncb@diginix.net)
Received: (from root@localhost)
	by diginix.net (8.8.8/8.8.8) id XAA15378;
	Tue, 3 Nov 1998 23:26:00 -0600 (CST)
	(envelope-from ncb)
Message-Id: <199811040526.XAA15378@diginix.net>
Date: Tue, 3 Nov 1998 23:26:00 -0600 (CST)
From: root@diginix.net
Reply-To: ncb@attrition.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: patch for randomised process id allocation
X-Send-Pr-Version: 3.2

>Number:         8570
>Category:       kern
>Synopsis:       patch for randomised process id allocation
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov  3 23:30:00 PST 1998
>Closed-Date:    Sat Jan 23 09:23:49 PST 1999
>Last-Modified:  Sat Jan 23 09:29:33 PST 1999
>Originator:     Charlie &
>Release:        FreeBSD 2.2.7-RELEASE i386
>Organization:
none
>Environment:

	i386 FreeBSD 2.2 system.

>Description:

	The incremental nature of current process id allocation can lend
	itself to a number of potentially serious security problems. This
	patch allocates a pid using the kernels random() function in
	libkern. It is nearly the same as OpenBSD's equivalent, only
	difference being that obsd uses the arc4random() PRNG.

>How-To-Repeat:


>Fix:
	
*** kern_fork.c.orig    Mon Nov  2 22:11:24 1998
--- kern_fork.c Tue Nov  3 21:41:13 1998
***************
*** 53,58 ****
--- 53,61 ----
  #include <sys/acct.h>
  #include <sys/ktrace.h>
  #include <sys/unistd.h>
+ #include <sys/libkern.h>
+ #include <sys/time.h>
+ #include <sys/sysctl.h>

  #include <vm/vm.h>
  #include <vm/vm_param.h>
***************
*** 113,119 ****
--- 116,124 ----


  int   nprocs = 1;             /* process 0 */
+ static int randompid = 1;     /* set to 1 for randomised pids */
  static int nextpid = 0;
+ SYSCTL_INT(_kern, OID_AUTO, randompid, CTLFLAG_RW, &randompid, 0, "");

  static int
  fork1(p1, flags, retval)
***************
*** 124,129 ****
--- 129,135 ----
        register struct proc *p2, *pptr;
        register uid_t uid;
        struct proc *newproc;
+       struct timeval tv;
        int count;
        static int pidchecked = 0;
        fle_p ep ;
***************
*** 174,179 ****
--- 180,187 ----
         * ready to use (from nextpid+1 through pidchecked-1).
         */
        nextpid++;
+       if (randompid)
+               nextpid = PID_MAX;
  retry:
        /*
         * If the process ID prototype has wrapped around,
***************
*** 181,188 ****
         * tend to include daemons that don't exit.
         */
        if (nextpid >= PID_MAX) {
!               nextpid = 100;
!               pidchecked = 0;
        }
        if (nextpid >= pidchecked) {
                int doingzomb = 0;
--- 189,206 ----
         * tend to include daemons that don't exit.
         */
        if (nextpid >= PID_MAX) {
!               if(randompid)
!               {
!                       microtime(&tv);
!                       srandom(tv.tv_sec ^ tv.tv_usec);
!                       nextpid = random() % PID_MAX;
!                       pidchecked = 0;
!               }
!               else
!               {
!                       nextpid = 100;
!                       pidchecked = 0;
!               }
        }
        if (nextpid >= pidchecked) {
                int doingzomb = 0;

	

>Release-Note:
>Audit-Trail:

From: David Greenman <dg@root.com>
To: ncb@attrition.org
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/8570: patch for randomised process id allocation 
Date: Wed, 04 Nov 1998 00:01:06 -0800

 >	The incremental nature of current process id allocation can lend
 >	itself to a number of potentially serious security problems. This
 >	patch allocates a pid using the kernels random() function in
 >	libkern. It is nearly the same as OpenBSD's equivalent, only
 >	difference being that obsd uses the arc4random() PRNG.
 
    Sounds like a serious pessimization to me. You're going to need a lot of
 justification for the alleged improved security that this brings before I'll
 buy into it.
 
 -DG
 
 David Greenman
 Co-founder/Principal Architect, The FreeBSD Project
State-Changed-From-To: open->closed 
State-Changed-By: rnordier 
State-Changed-When: Sat Jan 23 09:23:49 PST 1999 
State-Changed-Why:  
Architectural decision by dg: no further justification received from 
originator. 
>Unformatted:
