Kernel: Make Process::file_description() vend a RefPtr<FileDescription>

This encourages callers to strongly reference file descriptions while working with them. This fixes a use-after-free issue where one thread would close() an open fd while another thread was blocked on it becoming readable. Test: Kernel/uaf-close-while-blocked-in-read.cpp
2025-07-26 19:47:46 +00:00 · 2020-01-07 15:53:42 +01:00 · 2020-01-07 15:53:42 +01:00 · 5387a19268
commit 5387a19268
parent a47f3031ae
4 changed files with 66 additions and 46 deletions
--- a/Tests/Kernel/uaf-close-while-blocked-in-read.cpp
+++ b/Tests/Kernel/uaf-close-while-blocked-in-read.cpp
@ -0,0 +1,30 @@
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+int pipefds[2];
+
+int main(int, char**)
+{
+    pipe(pipefds);
+
+    pthread_t tid;
+    pthread_create(
+        &tid, nullptr, [](void*) -> void* {
+            sleep(1);
+            printf("Second thread closing pipes!\n");
+            close(pipefds[0]);
+            close(pipefds[1]);
+            pthread_exit(nullptr);
+            return nullptr;
+        },
+        nullptr);
+
+    printf("First thread doing a blocking read from pipe...\n");
+    char buffer[16];
+    int nread = read(pipefds[0], buffer, sizeof(buffer));
+    printf("Ok, read %d bytes from pipe\n", nread);
+
+    return 0;
+}