From: Tulio A M Mendes Date: Tue, 17 Feb 2026 06:26:48 +0000 (-0300) Subject: fix: UAF in alarm queue on reap, FD leak on self-SIGKILL and posix_spawn execve failure X-Git-Url: https://projects.tadryanom.me/?a=commitdiff_plain;h=34bcc4500d394b4b6043bd64065cdfce09d1c308;p=AdrOS.git fix: UAF in alarm queue on reap, FD leak on self-SIGKILL and posix_spawn execve failure --- diff --git a/src/kernel/scheduler.c b/src/kernel/scheduler.c index b8a5569..67ccd00 100644 --- a/src/kernel/scheduler.c +++ b/src/kernel/scheduler.c @@ -276,9 +276,10 @@ static void process_reap_locked(struct process* p) { if (!p) return; if (p->pid == 0) return; - /* Safety net: ensure process is not in any runqueue/sleep queue before freeing */ + /* Safety net: ensure process is not in any runqueue/sleep/alarm queue before freeing */ rq_remove_if_queued(p); sleep_queue_remove(p); + alarm_queue_remove(p); if (p == ready_queue_head && p == ready_queue_tail) { return; @@ -337,6 +338,7 @@ int process_kill(uint32_t pid, int sig) { if (sig <= 0 || sig >= PROCESS_MAX_SIG) return -EINVAL; if (current_process && current_process->pid == pid && sig == SIG_KILL) { + process_close_all_files_locked(current_process); process_exit_notify(128 + sig); hal_cpu_enable_interrupts(); schedule(); diff --git a/src/kernel/syscall.c b/src/kernel/syscall.c index a9cb43e..145c830 100644 --- a/src/kernel/syscall.c +++ b/src/kernel/syscall.c @@ -3341,7 +3341,11 @@ void syscall_handler(struct registers* regs) { /* We are in the child — exec immediately */ int rc = syscall_execve_impl(regs, path, argv, envp); if (rc < 0) { - /* execve failed — exit child */ + /* execve failed — close FDs and exit child */ + for (int _fd = 0; _fd < PROCESS_MAX_FILES; _fd++) { + if (current_process && current_process->files[_fd]) + (void)fd_close(_fd); + } process_exit_notify(127); hal_cpu_enable_interrupts(); schedule();