From 702948fe65a4d7a7cd8ffcc52fe94c4e33dc12c1 Mon Sep 17 00:00:00 2001 From: Tulio A M Mendes Date: Tue, 17 Feb 2026 03:26:48 -0300 Subject: [PATCH] fix: UAF in alarm queue on reap, FD leak on self-SIGKILL and posix_spawn execve failure --- src/kernel/scheduler.c | 4 +++- src/kernel/syscall.c | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/kernel/scheduler.c b/src/kernel/scheduler.c index fa644161..8309f2e8 100644 --- a/src/kernel/scheduler.c +++ b/src/kernel/scheduler.c @@ -285,9 +285,10 @@ static void process_reap_locked(struct process* p) { if (!p) return; if (p->pid == 0) return; - /* Safety net: ensure process is not in any runqueue/sleep queue before freeing */ + /* Safety net: ensure process is not in any runqueue/sleep/alarm queue before freeing */ rq_remove_if_queued(p); sleep_queue_remove(p); + alarm_queue_remove(p); if (p == ready_queue_head && p == ready_queue_tail) { return; @@ -346,6 +347,7 @@ int process_kill(uint32_t pid, int sig) { if (sig <= 0 || sig >= PROCESS_MAX_SIG) return -EINVAL; if (current_process && current_process->pid == pid && sig == SIG_KILL) { + process_close_all_files_locked(current_process); process_exit_notify(128 + sig); hal_cpu_enable_interrupts(); schedule(); diff --git a/src/kernel/syscall.c b/src/kernel/syscall.c index 45083d0d..54a034d0 100644 --- a/src/kernel/syscall.c +++ b/src/kernel/syscall.c @@ -3350,7 +3350,11 @@ void syscall_handler(struct registers* regs) { /* We are in the child — exec immediately */ int rc = syscall_execve_impl(regs, path, argv, envp); if (rc < 0) { - /* execve failed — exit child */ + /* execve failed — close FDs and exit child */ + for (int _fd = 0; _fd < PROCESS_MAX_FILES; _fd++) { + if (current_process && current_process->files[_fd]) + (void)fd_close(_fd); + } process_exit_notify(127); hal_cpu_enable_interrupts(); schedule(); -- 2.43.0