LibCore: Avoid UAF on the array of wake pipes when exit()ing

If exit() is called on a thread with an EventLoop in the stack, the ThreadData storing the array of wake pipes will be destroyed first. Threads can still take a strong reference to the EventLoop after that, and will read the fds from freed memory. Instead, take a copy of the write fd, and swallow EBADF when writing to it, since that only indicates that the thread and event loop are exiting, so there's nothing to do with the wake.
Author: https://github.com/Zaggy1024 Commit: https://github.com/LadybirdBrowser/ladybird/commit/04e95b7dd16 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/8197 Reviewed-by: https://github.com/gmta ✅
2026-04-25 17:25:08 +02:00 · 2026-02-27 06:45:27 -06:00 · 2026-03-02 23:09:14 +00:00
parent 75aac67adb
commit 04e95b7dd1
2 changed files with 14 additions and 4 deletions
--- a/Libraries/LibCore/EventLoopImplementationUnix.h
+++ b/Libraries/LibCore/EventLoopImplementationUnix.h
@@ -55,8 +55,9 @@ private:
    bool m_exit_requested { false };
    int m_exit_code { 0 };

-    // The wake pipe of this event loop needs to be accessible from other threads.
-    Array<int, 2>& m_wake_pipe_fds;
+    // The write end of the wake pipe, copied by value so it remains valid even
+    // if ThreadData is destroyed before this event loop (e.g. during exit()).
+    int m_wake_pipe_write_fd;
 };

 using EventLoopManagerPlatform = EventLoopManagerUnix;