Kernel: Make Process::file_description() vend a RefPtr<FileDescription>

This encourages callers to strongly reference file descriptions while
working with them.

This fixes a use-after-free issue where one thread would close() an
open fd while another thread was blocked on it becoming readable.

Test: Kernel/uaf-close-while-blocked-in-read.cpp

1 files changed, 3 insertions, 3 deletions

diff --git a/Kernel/FileSystem/ProcFS.cpp b/Kernel/FileSystem/ProcFS.cpp
index 95dd14447c..79cf40e494 100644
--- a/Kernel/FileSystem/ProcFS.cpp
+++ b/Kernel/FileSystem/ProcFS.cpp
@@ -218,7 +218,7 @@ Optional<KBuffer> procfs$pid_fds(InodeIdentifier identifier)
     }
 
     for (int i = 0; i < process.max_open_file_descriptors(); ++i) {
-        auto* description = process.file_description(i);
+        auto description = process.file_description(i);
         if (!description)
             continue;
         bool cloexec = process.fd_flags(i) & FD_CLOEXEC;
@@ -245,7 +245,7 @@ Optional<KBuffer> procfs$pid_fd_entry(InodeIdentifier identifier)
         return {};
     auto& process = handle->process();
     int fd = to_fd(identifier);
-    auto* description = process.file_description(fd);
+    auto description = process.file_description(fd);
     if (!description)
         return {};
     return description->absolute_path().to_byte_buffer();
@@ -1191,7 +1191,7 @@ bool ProcFSInode::traverse_as_directory(Function<bool(const FS::DirectoryEntry&)
             return false;
         auto& process = handle->process();
         for (int i = 0; i < process.max_open_file_descriptors(); ++i) {
-            auto* description = process.file_description(i);
+            auto description = process.file_description(i);
             if (!description)
                 continue;
             char name[16];