From e87eaf5df0176531d5ce713ca0088b4ffb6d331a Mon Sep 17 00:00:00 2001 From: Tom Date: Fri, 1 Jan 2021 15:17:23 -0700 Subject: [PATCH] Kernel: Fix memory corruption when rolling back regions in execve We need to free the regions before reverting the paging scope to the original one when rolling back changes due to an error. This fixes silent memory corruption. --- Kernel/Syscalls/execve.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Kernel/Syscalls/execve.cpp b/Kernel/Syscalls/execve.cpp index 85c677c9dd..3224ed071a 100644 --- a/Kernel/Syscalls/execve.cpp +++ b/Kernel/Syscalls/execve.cpp @@ -157,7 +157,6 @@ KResultOr Process::load_elf_object(FileDescription& object_ size_t master_tls_alignment = 0; FlatPtr load_base_address = 0; - MM.enter_process_paging_scope(*this); String elf_name = object_description.absolute_path(); ASSERT(!Processor::current().in_critical()); @@ -293,15 +292,21 @@ KResultOr Process::load(NonnullRefPtr main old_page_directory = move(m_page_directory); old_regions = move(m_regions); m_page_directory = page_directory.release_nonnull(); + MM.enter_process_paging_scope(*this); } ArmedScopeGuard rollback_regions_guard([&]() { ASSERT(Process::current() == this); // Need to make sure we don't swap contexts in the middle ScopedCritical critical; + // Explicitly clear m_regions *before* restoring the page directory, + // otherwise we may silently corrupt memory! + m_regions.clear(); + // Now that we freed the regions, revert to the original page directory + // and restore the original regions m_page_directory = move(old_page_directory); - m_regions = move(old_regions); MM.enter_process_paging_scope(*this); + m_regions = move(old_regions); }); if (!interpreter_description) {