Process: correct a subtle runLoopSource lifetime issue

compnerd · web-flow · commit ecb7096f9f8b · 2022-01-18T18:27:03.000Z
When a process is run with `run`, a monitoring thread is setup by means
of a socketpair.  This socket is used to create a runloop source, which
will monitor the process for termination.  `waitUntilExit` will monitor
the `isRunning` ivar which is set by the source to indicate the process
termination having been observed.  We however would previously mark the
process as terminated before invalidating the runloop source to prevent
any new callouts on the source. However, the operation is multithreaded
the operation is not guaranteed to be serialized and the runloop source
may be `nil`'ed prior or during the invalidation which also releases as
the refcount is now 0.  This would result in the `runloopSource` passed
to `CFRunLoopSourceInvalidate` being `nil` and breaking the contract of
the call or a UaF if the value is `nil`'ed during the execution.  These
states have both been observed in practice.  Reordering the `isRunning`
ivar assignment to occur after the invalidation ensures that the value
remains usable until we no longer reference it.
diff --git a/Sources/Foundation/Process.swift b/Sources/Foundation/Process.swift
@@ -642,17 +642,21 @@ open class Process: NSObject {
                 process._terminationReason = .exit
             }
 
-            if let handler = process.terminationHandler {
-                let thread: Thread = Thread { handler(process) }
-                thread.start()
+            // Invalidate the source and wake up the run loop, if it is available.
+            CFRunLoopSourceInvalidate(process.runLoopSource)
+            if let runloop = process.runLoop {
+                CFRunLoopWakeUp(runloop._cfRunLoop)
             }
 
+            // Ensure that the runLoop is invalidated before we mark the process
+            // as no longer running.  This serves as a semaphore to
+            // `waitUntilExit` to decrement the `runLoopSource` retain count,
+            // potentially releasing it.
             process.isRunning = false
 
-            // Invalidate the source and wake up the run loop, if it is available
-            CFRunLoopSourceInvalidate(process.runLoopSource)
-            if let runloop = process.runLoop {
-                CFRunLoopWakeUp(runloop._cfRunLoop)
+            if let handler = process.terminationHandler {
+                let thread: Thread = Thread { handler(process) }
+                thread.start()
             }
 
             CFSocketInvalidate(socket)
