RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-16 20:15:07 +00:00
Code Issues Activity Actions

Kernel: Fix Process use-after-free in Thread finalization

Browse source 
We leak a ref() onto every user process when constructing them,
either via Process::create_user_process(), or via Process::sys$fork().

This ref() is balanced by a corresponding unref() in
Thread::WaitBlockCondition::finalize().

Since kernel processes don't have a leaked ref() on them, this led to
an extra Process::unref() on kernel processes during finalization.
This happened during every boot, with the `init_stage2` process.

Found by turning off kfree() scrubbing. :^)
This commit is contained in:
Andreas Kling 2021-07-14 21:09:37 +02:00
parent 6211eb0f9a
commit 859e5741ff
3 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/Process.cpp
View file

@ -181,6 +181,10 @@ RefPtr<Process> Process::create_user_process(RefPtr<Thread>& first_thread, const
register_new(*process);
error = 0;
// NOTE: All user processes have a leaked ref on them. It's balanced by Thread::WaitBlockCondition::finalize().
(void)process.leak_ref();
return process;
}