This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/22273] New: Improper assert in Linux posix_spawn implementation
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 09 Oct 2017 14:32:45 +0000
- Subject: [Bug libc/22273] New: Improper assert in Linux posix_spawn implementation
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22273
Bug ID: 22273
Summary: Improper assert in Linux posix_spawn implementation
Product: glibc
Version: 2.26
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Target: Linux
Flags: security-
__spawnix has this code:
340 /* Child must set args.err to something non-negative - we rely on
341 the parent and child sharing VM. */
342 args.err = -1;
…
354 /* The clone flags used will create a new child that will run in the
same
355 memory space (CLONE_VM) and the execution of calling thread will
be
356 suspend until the child calls execve or _exit.
357
358 Also since the calling thread execution will be suspend, there is
not
359 need for CLONE_SETTLS. Although parent and child share the same
TLS
360 namespace, there will be no concurrent access for TLS variables
(errno
361 for instance). */
362 new_pid = CLONE (__spawni_child, STACK (stack, stack_size),
stack_size,
363 CLONE_VM | CLONE_VFORK | SIGCHLD, &args);
364
365 if (new_pid > 0)
366 {
367 ec = args.err;
368 assert (ec >= 0);
The assert can fire if the child process dies before the err member is written.
Atomics should probably used to guard against compiler reordering of the
store, too.
--
You are receiving this mail because:
You are on the CC list for the bug.