Kernel: Fix race in waitid

This is similar to 28e1da3 and 4dd4dd2. The crux is that wait verifies that the outvalue (siginfo* infop) is writable *before* waiting, and writes to it *after* waiting. In the meantime, a concurrent thread can make the output region unwritable, e.g. by deallocating it.
cubiclove · Mar 8, 2020 · b066586 · b066586
1 parent d8cd4e4
commit b066586
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp
@@ -2427,6 +2427,12 @@ pid_t Process::sys$waitid(const Syscall::SC_waitid_params* user_params)
  auto siginfo_or_error = do_waitid(static_cast<idtype_t>(params.idtype), params.id, params.options);
  if (siginfo_or_error.is_error())
  return siginfo_or_error.error();
+ // While we waited, the process lock was dropped. This gave other threads
+ // the opportunity to mess with the memory. For example, it could free the
+ // region, and map it to a region to which it has no write permissions.
+ // Therefore, we need to re-validate the pointer.
+ if (!validate_write_typed(params.infop))
+ return -EFAULT;
 
  copy_to_user(params.infop, &siginfo_or_error.value());
  return 0;