From 34bcc4500d394b4b6043bd64065cdfce09d1c308 Mon Sep 17 00:00:00 2001 From: Tulio A M Mendes Date: Tue, 17 Feb 2026 03:26:48 -0300 Subject: [PATCH] fix: UAF in alarm queue on reap, FD leak on self-SIGKILL and posix_spawn execve failure --- src/kernel/scheduler.c | 4 +++- src/kernel/syscall.c | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/kernel/scheduler.c b/src/kernel/scheduler.c index b8a5569..67ccd00 100644 --- a/src/kernel/scheduler.c +++ b/src/kernel/scheduler.c @@ -276,9 +276,10 @@ static void process_reap_locked(struct process* p) { if (!p) return; if (p->pid == 0) return; - /* Safety net: ensure process is not in any runqueue/sleep queue before freeing */ + /* Safety net: ensure process is not in any runqueue/sleep/alarm queue before freeing */ rq_remove_if_queued(p); sleep_queue_remove(p); + alarm_queue_remove(p); if (p == ready_queue_head && p == ready_queue_tail) { return; @@ -337,6 +338,7 @@ int process_kill(uint32_t pid, int sig) { if (sig <= 0 || sig >= PROCESS_MAX_SIG) return -EINVAL; if (current_process && current_process->pid == pid && sig == SIG_KILL) { + process_close_all_files_locked(current_process); process_exit_notify(128 + sig); hal_cpu_enable_interrupts(); schedule(); diff --git a/src/kernel/syscall.c b/src/kernel/syscall.c index a9cb43e..145c830 100644 --- a/src/kernel/syscall.c +++ b/src/kernel/syscall.c @@ -3341,7 +3341,11 @@ void syscall_handler(struct registers* regs) { /* We are in the child — exec immediately */ int rc = syscall_execve_impl(regs, path, argv, envp); if (rc < 0) { - /* execve failed — exit child */ + /* execve failed — close FDs and exit child */ + for (int _fd = 0; _fd < PROCESS_MAX_FILES; _fd++) { + if (current_process && current_process->files[_fd]) + (void)fd_close(_fd); + } process_exit_notify(127); hal_cpu_enable_interrupts(); schedule(); -- 2.43.0