RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-23 18:45:07 +00:00
Code Issues Activity Actions

Kernel: Fix Process use-after-free in Thread finalization

Browse source 
We leak a ref() onto every user process when constructing them,
either via Process::create_user_process(), or via Process::sys$fork().

This ref() is balanced by a corresponding unref() in
Thread::WaitBlockCondition::finalize().

Since kernel processes don't have a leaked ref() on them, this led to
an extra Process::unref() on kernel processes during finalization.
This happened during every boot, with the `init_stage2` process.

Found by turning off kfree() scrubbing. :^)
This commit is contained in:
Andreas Kling 2021-07-14 21:09:37 +02:00
parent 6211eb0f9a
commit 859e5741ff
3 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/Process.cpp
View file

@ -181,6 +181,10 @@ RefPtr<Process> Process::create_user_process(RefPtr<Thread>& first_thread, const
register_new(*process); register_new(*process);
error = 0; error = 0;
// NOTE: All user processes have a leaked ref on them. It's balanced by Thread::WaitBlockCondition::finalize().
(void)process.leak_ref();
return process; return process;
} }

5
Kernel/Syscalls/fork.cpp
View file

@ -119,9 +119,10 @@ KResultOr<FlatPtr> Process::sys$fork(RegisterState& regs)
child_first_thread->set_state(Thread::State::Runnable); child_first_thread->set_state(Thread::State::Runnable);
auto child_pid = child->pid().value(); auto child_pid = child->pid().value();
// We need to leak one reference so we don't destroy the Process,
// which will be dropped by Process::reap // NOTE: All user processes have a leaked ref on them. It's balanced by Thread::WaitBlockCondition::finalize().
(void)child.leak_ref(); (void)child.leak_ref();
return child_pid; return child_pid;
} }

11
Kernel/ThreadBlockers.cpp
View file

@ -580,10 +580,13 @@ void Thread::WaitBlockCondition::finalize()
// Clear the list of threads here so we can drop the references to them // Clear the list of threads here so we can drop the references to them
m_processes.clear(); m_processes.clear();
// No more waiters, drop the last reference immediately. This may // NOTE: Kernel processes don't have a leaked ref on them.
// cause us to be destructed ourselves! if (!is_kernel_mode()) {
VERIFY(m_process.ref_count() > 0); // No more waiters, drop the last reference immediately. This may
m_process.unref(); // cause us to be destructed ourselves!
VERIFY(m_process.ref_count() > 0);
m_process.unref();
}
} }
Thread::WaitBlocker::WaitBlocker(int wait_options, idtype_t id_type, pid_t id, KResultOr<siginfo_t>& result) Thread::WaitBlocker::WaitBlocker(int wait_options, idtype_t id_type, pid_t id, KResultOr<siginfo_t>& result)