From 9401749a0dbd68b4d503395f168887163ee32fa7 Mon Sep 17 00:00:00 2001
From: Srikanth Patchava <srpatcha@users.noreply.github.com>
Date: Mon, 15 Jun 2026 21:34:07 -0700
Subject: [PATCH] fix: TOCTOU race condition in vTaskListTasks()

Read uxCurrentNumberOfTasks once into uxArraySize and use that local
variable for both the size check and pvPortMalloc() call. The previous
code read the volatile variable twice, allowing a task to be created
between the reads, resulting in an undersized allocation that could
cause a buffer overflow in uxTaskGetSystemState().
---
 tasks.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tasks.c b/tasks.c
index b0299d12b1..461271fcff 100644
--- a/tasks.c
+++ b/tasks.c
@@ -7362,7 +7362,7 @@ STATIC void prvResetNextTaskUnblockTime( void )
         /* MISRA Ref 11.5.1 [Malloc memory assignment] */
         /* More details at: https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/MISRA.md#rule-115 */
         /* coverity[misra_c_2012_rule_11_5_violation] */
-        pxTaskStatusArray = pvPortMalloc( uxCurrentNumberOfTasks * sizeof( TaskStatus_t ) );
+        pxTaskStatusArray = pvPortMalloc( uxArraySize * sizeof( TaskStatus_t ) );
 
         if( pxTaskStatusArray != NULL )
         {
@@ -7531,7 +7531,7 @@ STATIC void prvResetNextTaskUnblockTime( void )
         /* MISRA Ref 11.5.1 [Malloc memory assignment] */
         /* More details at: https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/MISRA.md#rule-115 */
         /* coverity[misra_c_2012_rule_11_5_violation] */
-        pxTaskStatusArray = pvPortMalloc( uxCurrentNumberOfTasks * sizeof( TaskStatus_t ) );
+        pxTaskStatusArray = pvPortMalloc( uxArraySize * sizeof( TaskStatus_t ) );
 
         if( pxTaskStatusArray != NULL )
         {