fix: UAF in alarm queue on reap, FD leak on self-SIGKILL and posix_spawn execve failure

diff --git a/src/kernel/scheduler.c b/src/kernel/scheduler.c
index fa6441617759003091bf94e4feeb8ad5bb8ff17c..8309f2e8de4e746a6d0885ee29295128e7f5d7b7 100644 (file)
--- a/src/kernel/scheduler.c
+++ b/src/kernel/scheduler.c
@@ -285,9 +285,10 @@ static void process_reap_locked(struct process* p) {
     if (!p) return;
     if (p->pid == 0) return;
 
-    /* Safety net: ensure process is not in any runqueue/sleep queue before freeing */
+    /* Safety net: ensure process is not in any runqueue/sleep/alarm queue before freeing */
     rq_remove_if_queued(p);
     sleep_queue_remove(p);
+    alarm_queue_remove(p);
 
     if (p == ready_queue_head && p == ready_queue_tail) {
         return;
@@ -346,6 +347,7 @@ int process_kill(uint32_t pid, int sig) {
     if (sig <= 0 || sig >= PROCESS_MAX_SIG) return -EINVAL;
 
     if (current_process && current_process->pid == pid && sig == SIG_KILL) {
+        process_close_all_files_locked(current_process);
         process_exit_notify(128 + sig);
         hal_cpu_enable_interrupts();
         schedule();

diff --git a/src/kernel/syscall.c b/src/kernel/syscall.c
index 45083d0d45a64e23d37a8bfba288a0b914b2baf0..54a034d0a855cdea1405081c4ea83693d1a203b1 100644 (file)
--- a/src/kernel/syscall.c
+++ b/src/kernel/syscall.c
@@ -3350,7 +3350,11 @@ void syscall_handler(struct registers* regs) {
             /* We are in the child — exec immediately */
             int rc = syscall_execve_impl(regs, path, argv, envp);
             if (rc < 0) {
-                /* execve failed — exit child */
+                /* execve failed — close FDs and exit child */
+                for (int _fd = 0; _fd < PROCESS_MAX_FILES; _fd++) {
+                    if (current_process && current_process->files[_fd])
+                        (void)fd_close(_fd);
+                }
                 process_exit_notify(127);
                 hal_cpu_enable_interrupts();
                 schedule();