20511 – Invalid read on pthread_create with short-lived threads

Bug 20511 - Invalid read on pthread_create with short-lived threads

Summary: Invalid read on pthread_create with short-lived threads

Status:	RESOLVED DUPLICATE of bug 20116

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	nptl (show other bugs)
Version:	2.24

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-08-24 11:36 UTC by Johannes Bauer
Modified:	2016-08-25 11:09 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Bauer 2016-08-24 11:36:25 UTC

I noticed sporadically that pthread_create causes invalid reads. The effect is particularly obvious when threads are extremely short-lived. I've built 2.24 from scratch and can reproduce the problem with it. Here's example code:

// gcc -O2 -Wall -Wextra -pthread -o ptc ptc.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <pthread.h>

static void* do_nothing(void* arg) {
	return arg;
}

int main(void) {
	pthread_attr_t thread_attributes;
	memset(&thread_attributes, 0, sizeof(thread_attributes));
	if (pthread_attr_init(&thread_attributes)) {
		perror("pthread_attr_init");
		exit(EXIT_FAILURE);
	}
	pthread_attr_setdetachstate(&thread_attributes, PTHREAD_CREATE_DETACHED);

	for (int i = 0; i < 1000; i++) {
		pthread_t tid;
		if (pthread_create(&tid, &thread_attributes, do_nothing, NULL)) {
			perror("pthread_create");
			exit(EXIT_FAILURE);
		}

	}

	return 0;
}

When run with valgrind:

==31206== Invalid read of size 1
==31206==    at 0x4E41BE7: pthread_create@@GLIBC_2.2.5 (pthread_create.c:713)
==31206==    by 0x40070B: main (in /home/joe/fractals-ng/libc_bug/ptc)
==31206==  Address 0xa028d13 is not stack'd, malloc'd or (recently) free'd
==31206== 
==31206== 
==31206== Process terminating with default action of signal 11 (SIGSEGV)
==31206==  Access not within mapped region at address 0xA028D13
==31206==    at 0x4E41BE7: pthread_create@@GLIBC_2.2.5 (pthread_create.c:713)
==31206==    by 0x40070B: main (in /home/joe/fractals-ng/libc_bug/ptc)

The offending access is

  else
    {
      if (pd->stopped_start)           <-- here! line 713
	/* The thread blocked on this lock either because we're doing TD_CREATE
	   event reporting, or for some other reason that create_thread chose.
	   Now let it run free.  */
	lll_unlock (pd->lock, LLL_PRIVATE);

      /* We now have for sure more than one thread.  The main thread might
	 not yet have the flag set.  No need to set the global variable
	 again if this is what we use.  */
      THREAD_SETMEM (THREAD_SELF, header.multiple_threads, 1);
    }

Thank you for looking into this.

Cheers,
Johannes

Comment 1 Florian Weimer 2016-08-25 11:09:33 UTC

This has been reported before, but we have not fixed it.

*** This bug has been marked as a duplicate of bug 20116 ***