From df20f869142156576e4c14ae957b1a441859f9a2 Mon Sep 17 00:00:00 2001 From: Tulio A M Mendes Date: Mon, 25 May 2026 16:16:48 -0300 Subject: [PATCH] security: Round 5.5 posix_spawn PID fix (A13) A13: Fix posix_spawn wrapper to preserve child PID - Kernel copies child PID to *pid via copy_to_user - Wrapper was overwriting *pid with return value (0 on success) - Removed the line that overwrote *pid, kernel already filled it in Tests: 119/119 PASS (smoke test, SMP=4) --- user/ulibc/src/spawn.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user/ulibc/src/spawn.c b/user/ulibc/src/spawn.c index a39a57af..de0c4168 100644 --- a/user/ulibc/src/spawn.c +++ b/user/ulibc/src/spawn.c @@ -18,12 +18,13 @@ int posix_spawn(int* pid, const char* path, char* const argv[], char* const envp[]) { (void)file_actions; (void)attrp; + /* A13: Kernel copies child PID to *pid via copy_to_user, return value is 0 on success */ int ret = _syscall4(SYS_POSIX_SPAWN, (int)pid, (int)path, (int)argv, (int)envp); if (ret < 0) { errno = -ret; return -ret; } - if (pid) *pid = ret; + /* Don't overwrite *pid - kernel already filled it in */ return 0; } -- 2.43.0