From 717b8a099bbb529931d38fbfa9035a505dcc90f3 Mon Sep 17 00:00:00 2001
From: Srikanth Patchava <srpatcha@users.noreply.github.com>
Date: Fri, 24 Apr 2026 20:22:22 -0700
Subject: [PATCH] fix: TOCTOU race condition in vTaskListTasks()

Read uxCurrentNumberOfTasks once into uxArraySize and use that local
variable for both the size check and pvPortMalloc() call. The previous
code read the volatile variable twice, allowing a task to be created
between the reads, resulting in an undersized allocation that could
cause a buffer overflow in uxTaskGetSystemState().
---
 tasks.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tasks.c b/tasks.c
index c596c475f..6a3684ee5 100644
--- a/tasks.c
+++ b/tasks.c
@@ -7351,7 +7351,7 @@ static void prvResetNextTaskUnblockTime( void )
         /* MISRA Ref 11.5.1 [Malloc memory assignment] */
         /* More details at: https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/MISRA.md#rule-115 */
         /* coverity[misra_c_2012_rule_11_5_violation] */
-        pxTaskStatusArray = pvPortMalloc( uxCurrentNumberOfTasks * sizeof( TaskStatus_t ) );
+        pxTaskStatusArray = pvPortMalloc( uxArraySize * sizeof( TaskStatus_t ) );
 
         if( pxTaskStatusArray != NULL )
         {
@@ -7520,7 +7520,7 @@ static void prvResetNextTaskUnblockTime( void )
         /* MISRA Ref 11.5.1 [Malloc memory assignment] */
         /* More details at: https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/MISRA.md#rule-115 */
         /* coverity[misra_c_2012_rule_11_5_violation] */
-        pxTaskStatusArray = pvPortMalloc( uxCurrentNumberOfTasks * sizeof( TaskStatus_t ) );
+        pxTaskStatusArray = pvPortMalloc( uxArraySize * sizeof( TaskStatus_t ) );
 
         if( pxTaskStatusArray != NULL )
         {