RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 07:48:11 +00:00
Code Issues Activity Actions

Kernel: Fix kernel null deref on process crash during join_thread()

Browse source 
The join_thread() syscall is not supposed to be interruptible by
signals, but it was. And since the process death mechanism piggybacked
on signal interrupts, it was possible to interrupt a pthread_join() by
killing the process that was doing it, leading to confusing due to some
assumptions being made by Thread::finalize() for threads that have a
pending joiner.

This patch fixes the issue by making "interrupted by death" a distinct
block result separate from "interrupted by signal". Then we handle that
state in join_thread() and tidy things up so that thread finalization
doesn't get confused by the pending joiner being gone.

Test: Tests/Kernel/null-deref-crash-during-pthread_join.cpp
This commit is contained in:
Andreas Kling 2020-01-10 19:15:01 +01:00
parent 6a529ea425
commit 8c5cd97b45
7 changed files with 55 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/Net/LocalSocket.cpp
View file

@ -143,7 +143,7 @@ KResult LocalSocket::connect(FileDescription& description, const sockaddr* addre
return KSuccess;
}
if (current->block<Thread::ConnectBlocker>(description) == Thread::BlockResult::InterruptedBySignal) {
if (current->block<Thread::ConnectBlocker>(description) != Thread::BlockResult::WokeNormally) {
m_connect_side_role = Role::None;
return KResult(-EINTR);
}
@ -268,7 +268,7 @@ ssize_t LocalSocket::recvfrom(FileDescription& description, void* buffer, size_t
}
} else if (!can_read(description)) {
auto result = current->block<Thread::ReceiveBlocker>(description);
if (result == Thread::BlockResult::InterruptedBySignal)
if (result != Thread::BlockResult::WokeNormally)
return -EINTR;
}
if (!has_attached_peer(description) && buffer_for_me.is_empty())