Kernel: Fix Process use-after-free in Thread finalization

We leak a ref() onto every user process when constructing them, either via Process::create_user_process(), or via Process::sys$fork(). This ref() is balanced by a corresponding unref() in Thread::WaitBlockCondition::finalize(). Since kernel processes don't have a leaked ref() on them, this led to an extra Process::unref() on kernel processes during finalization. This happened during every boot, with the `init_stage2` process. Found by turning off kfree() scrubbing. :^)
Author: https://github.com/awesomekling Commit: 859e5741ff
2025-04-27 23:09:08 +00:00 · 2021-07-14 21:09:37 +02:00 · 2021-07-14 21:09:37 +02:00 · 859e5741ff · 2024-07-18 09:02:04 +09:00
commit 859e5741ff
parent 6211eb0f9a
3 changed files with 14 additions and 6 deletions
--- a/Kernel/ThreadBlockers.cpp
+++ b/Kernel/ThreadBlockers.cpp
@ -580,10 +580,13 @@ void Thread::WaitBlockCondition::finalize()
    // Clear the list of threads here so we can drop the references to them
    m_processes.clear();

-    // No more waiters, drop the last reference immediately. This may
-    // cause us to be destructed ourselves!
-    VERIFY(m_process.ref_count() > 0);
-    m_process.unref();
+    // NOTE: Kernel processes don't have a leaked ref on them.
+    if (!is_kernel_mode()) {
+        // No more waiters, drop the last reference immediately. This may
+        // cause us to be destructed ourselves!
+        VERIFY(m_process.ref_count() > 0);
+        m_process.unref();
+    }
 }

 Thread::WaitBlocker::WaitBlocker(int wait_options, idtype_t id_type, pid_t id, KResultOr<siginfo_t>& result)