Kernel: Fix memory corruption when rolling back regions in execve

We need to free the regions before reverting the paging scope to the original one when rolling back changes due to an error. This fixes silent memory corruption.
Author: https://github.com/tomuta Commit: https://github.com/SerenityOS/serenity/commit/e87eaf5df01 Pull-request: https://github.com/SerenityOS/serenity/pull/4707
2024-11-13 11:42:38 +03:00 · 2021-01-01 15:17:23 -07:00 · 2021-01-01 15:17:23 -07:00 · e87eaf5df0 · 2024-07-19 00:14:07 +09:00
commit e87eaf5df0
parent 2f429bd2d5
1 changed files with 7 additions and 2 deletions
--- a/Kernel/Syscalls/execve.cpp
+++ b/Kernel/Syscalls/execve.cpp
@ -157,7 +157,6 @@ KResultOr<Process::LoadResult> Process::load_elf_object(FileDescription& object_
    size_t master_tls_alignment = 0;
    FlatPtr load_base_address = 0;

-    MM.enter_process_paging_scope(*this);
    String elf_name = object_description.absolute_path();
    ASSERT(!Processor::current().in_critical());

@ -293,15 +292,21 @@ KResultOr<Process::LoadResult> Process::load(NonnullRefPtr<FileDescription> main
        old_page_directory = move(m_page_directory);
        old_regions = move(m_regions);
        m_page_directory = page_directory.release_nonnull();
+        MM.enter_process_paging_scope(*this);
    }

    ArmedScopeGuard rollback_regions_guard([&]() {
        ASSERT(Process::current() == this);
        // Need to make sure we don't swap contexts in the middle
        ScopedCritical critical;
+        // Explicitly clear m_regions *before* restoring the page directory,
+        // otherwise we may silently corrupt memory!
+        m_regions.clear();
+        // Now that we freed the regions, revert to the original page directory
+        // and restore the original regions
        m_page_directory = move(old_page_directory);
-        m_regions = move(old_regions);
        MM.enter_process_paging_scope(*this);
+        m_regions = move(old_regions);
    });

    if (!interpreter_description) {