From 14cd1abcbd08240faf30953a9b371ad4a964a475 Mon Sep 17 00:00:00 2001
From: Amlal El Mahrouss <amlal@nekernel.org>
Date: Tue, 10 Jun 2025 18:18:46 +0200
Subject: fix: security: UAF on the `ups-allocation-tree`

credits:

- @0xf00sec who reported the issue.
- @amlel-el-mahrouss who implemented the patch.

Signed-off-by: Amlal El Mahrouss <amlal@nekernel.org>
---
 dev/kernel/src/UserProcessScheduler.cc | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'dev/kernel')

diff --git a/dev/kernel/src/UserProcessScheduler.cc b/dev/kernel/src/UserProcessScheduler.cc
index 6753b238..47a65202 100644
--- a/dev/kernel/src/UserProcessScheduler.cc
+++ b/dev/kernel/src/UserProcessScheduler.cc
@@ -242,10 +242,13 @@ STATIC Void sched_free_ptr_tree(PROCESS_HEAP_TREE<VoidPtr>* memory_ptr_list) {
 
     auto next = memory_ptr_list->Next;
 
-    mm_free_ptr(memory_ptr_list);
+    if (next->Child) sched_free_ptr_tree(next->Child);
+
+    memory_ptr_list->Child = nullptr;
 
-    if (memory_ptr_list->Child) sched_free_ptr_tree(memory_ptr_list->Child);
+    mm_free_ptr(memory_ptr_list);
 
+    memory_ptr_list = nullptr;
     memory_ptr_list = next;
   }
 }
@@ -262,16 +265,13 @@ Void USER_PROCESS::Exit(const Int32& exit_code) {
   this->LastExitCode = exit_code;
   this->UTime        = 0;
 
-  --this->ParentTeam->mProcessCur;
-
-  auto memory_ptr_list = this->HeapTree;
-
 #ifdef __NE_VIRTUAL_MEMORY_SUPPORT__
   auto pd = kKernelVM;
   hal_write_cr3(this->VMRegister);
 #endif
 
-  sched_free_ptr_tree(memory_ptr_list);
+  sched_free_ptr_tree(this->HeapTree);
+  this->HeapTree = nullptr;
 
 #ifdef __NE_VIRTUAL_MEMORY_SUPPORT__
   hal_write_cr3(pd);
-- 
cgit v1.2.3