From fc5ebe2a500e1bdbee689dd8dbaead68966f1e9c Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sat, 22 Feb 2020 12:27:12 +0100
Subject: Kernel: Disown shared buffers on sys$execve()

When committing to a new executable, disown any shared buffers that the
process was previously co-owning.

Otherwise accessing the same shared buffer ID from the new program
would cause the kernel to find a cached (and stale!) reference to the
previous program's VM region corresponding to that shared buffer,
leading to a Region* use-after-free.

Fixes #1270.
---
 Kernel/Process.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp
index 4eb4284c45..9efd031561 100644
--- a/Kernel/Process.cpp
+++ b/Kernel/Process.cpp
@@ -952,6 +952,8 @@ int Process::do_exec(NonnullRefPtr<FileDescription> main_program_description, Ve
 
     m_futex_queues.clear();
 
+    disown_all_shared_buffers();
+
     for (int i = 0; i < m_fds.size(); ++i) {
         auto& daf = m_fds[i];
         if (daf.description && daf.flags & FD_CLOEXEC) {
-- 
cgit v1.2.3