1 files changed, 52 insertions, 0 deletions

diff --git a/packaging/0001-Fix-uaf-in-DestroyThread-function.patch b/packaging/0001-Fix-uaf-in-DestroyThread-function.patch
new file mode 100644
index 0000000000..d41473eb71
--- /dev/null
+++ b/packaging/0001-Fix-uaf-in-DestroyThread-function.patch
@@ -0,0 +1,52 @@
+From 26319006acafde23118c2fd566525a8c2864e748 Mon Sep 17 00:00:00 2001
+From: chunseok lee <chunseok.lee@samsung.com>
+Date: Wed, 13 Dec 2017 12:24:34 +0900
+Subject: [PATCH] Fix uaf in DestroyThread function
+
+upstream cherrypick : 14f609a711f61c0724
+From: Konstantin Baladurin <k.baladurin@partner.samsung.com>
+Date: Fri, 8 Dec 2017 15:28:40 +0300
+Subject: Fix uaf in DestroyThread function.
+
+Mark thread's buffers as no longer owned before calling
+Thread::OnThreadTerminate because thread can delete itself in
+this method.
+
+Signed-off-by: chunseok lee <chunseok.lee@samsung.com>
+---
+ src/vm/threads.cpp | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/vm/threads.cpp b/src/vm/threads.cpp
+index df8916c..59633fe 100644
+--- a/src/vm/threads.cpp
++++ b/src/vm/threads.cpp
+@@ -987,12 +987,6 @@ void DestroyThread(Thread *th)
+ #endif // _TARGET_X86_
+ #endif // WIN64EXCEPTIONS
+ 
+-    if (g_fEEShutDown == 0) 
+-    {
+-        th->SetThreadState(Thread::TS_ReportDead);
+-        th->OnThreadTerminate(FALSE);
+-    }
+-
+ #ifdef FEATURE_PERFTRACING
+     // Before the thread dies, mark its buffers as no longer owned
+     // so that they can be cleaned up after the thread dies.
+@@ -1002,6 +996,12 @@ void DestroyThread(Thread *th)
+         pBufferList->SetOwnedByThread(false);
+     }
+ #endif // FEATURE_PERFTRACING
++
++    if (g_fEEShutDown == 0)
++    {
++        th->SetThreadState(Thread::TS_ReportDead);
++        th->OnThreadTerminate(FALSE);
++    }
+ }
+ 
+ //-------------------------------------------------------------------------
+-- 
+2.7.4
+