From 848290b63a0990a4c250f6a82135a148f1ec9680 Mon Sep 17 00:00:00 2001
From: Konstantin Baladurin <k.baladurin@partner.samsung.com>
Date: Fri, 8 Dec 2017 23:26:00 +0300
Subject: [PATCH] Fix uaf in DestroyThread function. (dotnet/coreclr#15437)

Mark thread's buffers as no longer owned before calling
Thread::OnThreadTerminate because thread can delete itself in
this method.

Commit migrated from https://github.com/dotnet/coreclr/commit/ddab65b2643ec2c3b7a376f4f44a05073124b732
---
 src/coreclr/src/vm/threads.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/coreclr/src/vm/threads.cpp b/src/coreclr/src/vm/threads.cpp
index de5eb6a..5482102 100644
--- a/src/coreclr/src/vm/threads.cpp
+++ b/src/coreclr/src/vm/threads.cpp
@@ -902,12 +902,6 @@ void DestroyThread(Thread *th)
 #endif // _TARGET_X86_
 #endif // WIN64EXCEPTIONS
 
-    if (g_fEEShutDown == 0) 
-    {
-        th->SetThreadState(Thread::TS_ReportDead);
-        th->OnThreadTerminate(FALSE);
-    }
-
 #ifdef FEATURE_PERFTRACING
     // Before the thread dies, mark its buffers as no longer owned
     // so that they can be cleaned up after the thread dies.
@@ -917,6 +911,12 @@ void DestroyThread(Thread *th)
         pBufferList->SetOwnedByThread(false);
     }
 #endif // FEATURE_PERFTRACING
+
+    if (g_fEEShutDown == 0) 
+    {
+        th->SetThreadState(Thread::TS_ReportDead);
+        th->OnThreadTerminate(FALSE);
+    }
 }
 
 //-------------------------------------------------------------------------
-- 
2.7.4