Andreas Kling 638fe6f84a Kernel: Disable interrupts while looking into the thread table ...

There was a race window in a bunch of syscalls between calling
Thread::from_tid() and checking if the found thread was in the same
process as the calling thread.

If the found thread object was destroyed at that point, there was a
use-after-free that could be exploited by filling the kernel heap with
something that looked like a thread object.

2020-01-27 14:04:57 +01:00

145 KiB

Raw Blame History

View Raw