fix: UAF in alarm queue on reap, FD leak on self-SIGKILL and posix_spawn execve failure

diff --git a/src/kernel/scheduler.c b/src/kernel/scheduler.c
index b8a55699510796cd16189a6ea5591235b5fbce65..67ccd00db31b90e14022196f88c40cb3f22ae0dc 100644 (file)
--- a/src/kernel/scheduler.c
+++ b/src/kernel/scheduler.c
@@ -276,9 +276,10 @@ static void process_reap_locked(struct process* p) {
     if (!p) return;
     if (p->pid == 0) return;
 
-    /* Safety net: ensure process is not in any runqueue/sleep queue before freeing */
+    /* Safety net: ensure process is not in any runqueue/sleep/alarm queue before freeing */
     rq_remove_if_queued(p);
     sleep_queue_remove(p);
+    alarm_queue_remove(p);
 
     if (p == ready_queue_head && p == ready_queue_tail) {
         return;
@@ -337,6 +338,7 @@ int process_kill(uint32_t pid, int sig) {
     if (sig <= 0 || sig >= PROCESS_MAX_SIG) return -EINVAL;
 
     if (current_process && current_process->pid == pid && sig == SIG_KILL) {
+        process_close_all_files_locked(current_process);
         process_exit_notify(128 + sig);
         hal_cpu_enable_interrupts();
         schedule();

diff --git a/src/kernel/syscall.c b/src/kernel/syscall.c
index a9cb43e2fa5bc1dcc84cbc1f941b4ff539fcc975..145c830656652eba5be40662a649430dcdefc7bf 100644 (file)
--- a/src/kernel/syscall.c
+++ b/src/kernel/syscall.c
@@ -3341,7 +3341,11 @@ void syscall_handler(struct registers* regs) {
             /* We are in the child — exec immediately */
             int rc = syscall_execve_impl(regs, path, argv, envp);
             if (rc < 0) {
-                /* execve failed — exit child */
+                /* execve failed — close FDs and exit child */
+                for (int _fd = 0; _fd < PROCESS_MAX_FILES; _fd++) {
+                    if (current_process && current_process->files[_fd])
+                        (void)fd_close(_fd);
+                }
                 process_exit_notify(127);
                 hal_cpu_enable_interrupts();
                 schedule();