From 2dc9c86bad76b56c4d58334a633f78a34e3500bf Mon Sep 17 00:00:00 2001
From: Andreas Kling <awesomekling@gmail.com>
Date: Thu, 31 Jan 2019 07:02:40 +0100
Subject: [PATCH] Kernel: Make Process a Weakable class.

Use this to fix a use-after-free in ~GraphicsBitmap(). We'd hit this when
the WindowServer was doing a deferred destruction of a WSWindow whose
backing store referred to a now-reaped Process.
---
 Kernel/Process.h                  | 3 ++-
 SharedGraphics/GraphicsBitmap.cpp | 4 ++--
 SharedGraphics/GraphicsBitmap.h   | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/Kernel/Process.h b/Kernel/Process.h
index a17e9da359..b2b8f961ac 100644
--- a/Kernel/Process.h
+++ b/Kernel/Process.h
@@ -12,6 +12,7 @@
 #include <AK/AKString.h>
 #include <AK/Vector.h>
 #include <AK/WeakPtr.h>
+#include <AK/Weakable.h>
 #include <AK/Lock.h>
 
 class FileDescriptor;
@@ -45,7 +46,7 @@ struct DisplayInfo {
     byte* framebuffer;
 };
 
-class Process : public InlineLinkedListNode<Process> {
+class Process : public InlineLinkedListNode<Process>, public Weakable<Process> {
     friend class InlineLinkedListNode<Process>;
     friend class WSWindowManager; // FIXME: Make a better API for allocate_region().
     friend class GraphicsBitmap; // FIXME: Make a better API for allocate_region().
diff --git a/SharedGraphics/GraphicsBitmap.cpp b/SharedGraphics/GraphicsBitmap.cpp
index 7121161ce1..97d8e815d4 100644
--- a/SharedGraphics/GraphicsBitmap.cpp
+++ b/SharedGraphics/GraphicsBitmap.cpp
@@ -16,7 +16,7 @@ RetainPtr<GraphicsBitmap> GraphicsBitmap::create(Process& process, const Size& s
 GraphicsBitmap::GraphicsBitmap(Process& process, const Size& size)
     : m_size(size)
     , m_pitch(size.width() * sizeof(RGBA32))
-    , m_client_process(&process)
+    , m_client_process(process.makeWeakPtr())
 {
     InterruptDisabler disabler;
     size_t size_in_bytes = size.width() * size.height() * sizeof(RGBA32);
@@ -47,7 +47,7 @@ GraphicsBitmap::GraphicsBitmap(const Size& size, RGBA32* data)
 GraphicsBitmap::~GraphicsBitmap()
 {
 #ifdef KERNEL
-    if (m_client_region)
+    if (m_client_region && m_client_process)
         m_client_process->deallocate_region(*m_client_region);
     if (m_server_region)
         WSMessageLoop::the().server_process().deallocate_region(*m_server_region);
diff --git a/SharedGraphics/GraphicsBitmap.h b/SharedGraphics/GraphicsBitmap.h
index a0796f92a4..de3f934ad2 100644
--- a/SharedGraphics/GraphicsBitmap.h
+++ b/SharedGraphics/GraphicsBitmap.h
@@ -43,7 +43,7 @@ private:
     size_t m_pitch { 0 };
 
 #ifdef KERNEL
-    Process* m_client_process { nullptr };
+    WeakPtr<Process> m_client_process;
     Region* m_client_region { nullptr };
     Region* m_server_region { nullptr };
 #endif