Skip to content

Fix waitpid UAF, correct PR_SET_MM handling, add mincore stub #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sunhaosheng wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fix waitpid UAF, correct PR_SET_MM handling, add mincore stub #95

sunhaosheng wants to merge 6 commits into from

Conversation

@sunhaosheng
Copy link
Contributor

@sunhaosheng sunhaosheng commented Dec 18, 2025

  1. read child pid/exit_code before free in waitpid

In sys_waitpid, child.pid() and child.exit_code() were read after calling child.free(), which could lead to use-after-free issues.

Fix: Read pid and exit_code before calling free().

  1. PR_SET_MM Handling in prctl

File: api/src/syscall/task/ctl.rs

Bug Description:
The prctl syscall was incorrectly matching PR_SET_MM_* constants at the top level instead of as sub-options of PR_SET_MM.

Fix:
Restructured the match to properly handle PR_SET_MM with its sub-options:

PR_SET_MM => match arg2 as u32 {
    PR_SET_MM_START_CODE | PR_SET_MM_END_CODE | ... => {}
    _ => return Err(AxError::InvalidInput),
}
  1. Added mincore Syscall Stub

File: api/src/syscall/mm/mmap.rs

Description:
Added sys_mincore that returns ENOSYS (Unsupported). This is safer than returning incorrect data and lets programs use fallback logic.

@sunhaosheng-kylin
fix(task): read child pid/exit_code before free in waitpid
6850127 
In sys_waitpid, child.pid() and child.exit_code() were read after
calling child.free(), which could lead to use-after-free issues.

Fix: Read pid and exit_code before calling free().
@sunhaosheng-kylin
fix(task): fix PR_SET_MM handling in prctl
222c445 
PR_SET_MM_* constants were incorrectly matched at the top level of
prctl instead of as sub-options of PR_SET_MM.

Fix: Restructure the match to handle PR_SET_MM with its sub-options
properly, and add more PR_SET_MM sub-options (BRK, ARG_*, ENV_*, etc.)
@sunhaosheng-kylin
feat(syscall): add mincore syscall stub
c915497 
Add sys_mincore that returns ENOSYS (Unsupported). This is safer than
returning incorrect data and lets programs use fallback logic.
@sunhaosheng-kylin
fix fmt
f05b84a
@sunhaosheng-kylin
fix clippy
b1b5093
@sunhaosheng-kylin
fix clippy2
d259241
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunhaosheng @sunhaosheng-kylin