RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-07 08:07:35 +00:00
Code Issues Activity Actions

Kernel: Fix kernel null deref on process crash during join_thread()

Browse source 
The join_thread() syscall is not supposed to be interruptible by
signals, but it was. And since the process death mechanism piggybacked
on signal interrupts, it was possible to interrupt a pthread_join() by
killing the process that was doing it, leading to confusing due to some
assumptions being made by Thread::finalize() for threads that have a
pending joiner.

This patch fixes the issue by making "interrupted by death" a distinct
block result separate from "interrupted by signal". Then we handle that
state in join_thread() and tidy things up so that thread finalization
doesn't get confused by the pending joiner being gone.

Test: Tests/Kernel/null-deref-crash-during-pthread_join.cpp
This commit is contained in:
Andreas Kling 2020-01-10 19:15:01 +01:00
parent 6a529ea425
commit 8c5cd97b45
7 changed files with 55 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

27
Kernel/Process.cpp
View file

@ -1369,7 +1369,7 @@ ssize_t Process::do_write(FileDescription& description, const u8* data, int data
#ifdef IO_DEBUG
dbgprintf("block write on %d\n", fd);
#endif
if (current->block<Thread::WriteBlocker>(description) == Thread::BlockResult::InterruptedBySignal) {
if (current->block<Thread::WriteBlocker>(description) != Thread::BlockResult::WokeNormally) {
if (nwritten == 0)
return -EINTR;
}
@ -1430,7 +1430,7 @@ ssize_t Process::sys$read(int fd, u8* buffer, ssize_t size)
return -EISDIR;
if (description->is_blocking()) {
if (!description->can_read()) {
if (current->block<Thread::ReadBlocker>(*description) == Thread::BlockResult::InterruptedBySignal)
if (current->block<Thread::ReadBlocker>(*description) != Thread::BlockResult::WokeNormally)
return -EINTR;
}
}
@ -2042,7 +2042,7 @@ pid_t Process::sys$waitpid(pid_t waitee, int* wstatus, int options)
}
pid_t waitee_pid = waitee;
if (current->block<Thread::WaitBlocker>(options, waitee_pid) == Thread::BlockResult::InterruptedBySignal)
if (current->block<Thread::WaitBlocker>(options, waitee_pid) != Thread::BlockResult::WokeNormally)
return -EINTR;
InterruptDisabler disabler;
@ -2445,7 +2445,7 @@ int Process::sys$select(const Syscall::SC_select_params* params)
#endif
if (!timeout || select_has_timeout) {
if (current->block<Thread::SelectBlocker>(computed_timeout, select_has_timeout, rfds, wfds, efds) == Thread::BlockResult::InterruptedBySignal)
if (current->block<Thread::SelectBlocker>(computed_timeout, select_has_timeout, rfds, wfds, efds) != Thread::BlockResult::WokeNormally)
return -EINTR;
}
@ -2505,7 +2505,7 @@ int Process::sys$poll(pollfd* fds, int nfds, int timeout)
#endif
if (has_timeout || timeout < 0) {
if (current->block<Thread::SelectBlocker>(actual_timeout, has_timeout, rfds, wfds, Thread::SelectBlocker::FDVector()) == Thread::BlockResult::InterruptedBySignal)
if (current->block<Thread::SelectBlocker>(actual_timeout, has_timeout, rfds, wfds, Thread::SelectBlocker::FDVector()) != Thread::BlockResult::WokeNormally)
return -EINTR;
}
@ -2811,7 +2811,7 @@ int Process::sys$accept(int accepting_socket_fd, sockaddr* address, socklen_t* a
auto& socket = *accepting_socket_description->socket();
if (!socket.can_accept()) {
if (accepting_socket_description->is_blocking()) {
if (current->block<Thread::AcceptBlocker>(*accepting_socket_description) == Thread::BlockResult::InterruptedBySignal)
if (current->block<Thread::AcceptBlocker>(*accepting_socket_description) != Thread::BlockResult::WokeNormally)
return -EINTR;
} else {
return -EAGAIN;
@ -3358,9 +3358,18 @@ int Process::sys$join_thread(int tid, void** exit_value)
void* joinee_exit_value = nullptr;
// FIXME: pthread_join() should not be interruptable. Enforce this somehow?
auto result = current->block<Thread::JoinBlocker>(*thread, joinee_exit_value);
(void)result;
// NOTE: pthread_join() cannot be interrupted by signals. Only by death.
for (;;) {
auto result = current->block<Thread::JoinBlocker>(*thread, joinee_exit_value);
if (result == Thread::BlockResult::InterruptedByDeath) {
// NOTE: This cleans things up so that Thread::finalize() won't
// get confused about a missing joiner when finalizing the joinee.
InterruptDisabler disabler;
current->m_joinee->m_joiner = nullptr;
current->m_joinee = nullptr;
return 0;
}
}
// NOTE: 'thread' is very possibly deleted at this point. Clear it just to be safe.
thread = nullptr;