Security: Potential race condition during syscalls
Created by: Yoric
Consider a process P with two threads T and U.
- Thread T allocates a buffer
buf
and shares the address ofbuf
with U. - Thread T places
syscall::read
with argumentbuf
. - Syscall starts. Thread T is blocked.
- Kernel receives
buf
as a pointer. - Thread U (which is not blocked) releases the entire page containing
buf
- Kernel writes to
buf
, which is probably unallocated, or could now belong to any process, or even to the kernel.
Cross-process or process-to-kernel memory corruption ensues.