From 79576f928088e07e607e34ae61238ab4736a26bf Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Mon, 24 Feb 2020 12:31:14 +0100
Subject: [PATCH] Kernel: Clear the region lookup cache on exec()

Each process has a 1-level lookup cache for fast repeated lookups of
the same VM region (which tends to be the majority of lookups.)
The cache is used by the following syscalls: munmap, madvise, mprotect
and set_mmap_name.

After a succesful exec(), there could be a stale Region* in the lookup
cache, and the new executable was able to manipulate it using a number
of use-after-free code paths.
---
 Kernel/Process.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp
index f862a580c2..73bc7266fb 100644
--- a/Kernel/Process.cpp
+++ b/Kernel/Process.cpp
@@ -952,6 +952,8 @@ int Process::do_exec(NonnullRefPtr<FileDescription> main_program_description, Ve
 
     m_futex_queues.clear();
 
+    m_region_lookup_cache = {};
+
     disown_all_shared_buffers();
 
     for (int i = 0; i < m_fds.size(); ++i) {