From c12f0507b6e5c7228794480bc4ca96ab78b5b5d6 Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio.ceolin@intel.com>
Date: Fri, 17 May 2024 14:57:55 -0700
Subject: [PATCH] userspace: dynamic: Fix k_thread_stack_free verification

k_thread_stack_free syscall was not checking if the caller
had permission to given stack object.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
---
 kernel/dynamic.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/dynamic.c b/kernel/dynamic.c
index d03e3669346..89f80933dd0 100644
--- a/kernel/dynamic.c
+++ b/kernel/dynamic.c
@@ -166,6 +166,15 @@ int z_impl_k_thread_stack_free(k_thread_stack_t *stack)
 #ifdef CONFIG_USERSPACE
 static inline int z_vrfy_k_thread_stack_free(k_thread_stack_t *stack)
 {
+	/* The thread stack object must not be in initialized state.
+	 *
+	 * Thread stack objects are initialized when the thread is created
+	 * and de-initialized whent the thread is destroyed. Since we can't
+	 * free a stack that is in use, we have to check that the caller
+	 * has access to the object but that it is not in use anymore.
+	 */
+	K_OOPS(K_SYSCALL_OBJ_NEVER_INIT(stack, K_OBJ_THREAD_STACK_ELEMENT));
+
 	return z_impl_k_thread_stack_free(stack);
 }
 #include <syscalls/k_thread_stack_free_mrsh.c>