This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug nscd/9746] New: nscd cache corruption by garbage collection, leading to segfault and/or stack overrun

From: "j-nomura at ce dot jp dot nec dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: 15 Jan 2009 05:32:10 -0000
Subject: [Bug nscd/9746] New: nscd cache corruption by garbage collection, leading to segfault and/or stack overrun
Reply-to: sourceware-bugzilla at sourceware dot org

The garbage collection function, gc(), may free or move memory areas
which are allocated from the pool but not yet added to the cache db.
That leads to the database corruption.
Later cache-lookup might cause segfault by out-of-range access.
Also, later gc may try to set the bitmap looking at the corrupted
cache entry and overwriting other data on the stack.

   thread 1 (adding cache)      thread 2 (doing gc)
   --------------------------------------------------------------
   data = mempool_alloc
   set the contents of 'data'
                                write-lock db
                                mark areas referenced from cache entries
                                move them onto unmarked areas
                                write-unlock db
   read-lock db
   cache_add(data)
   read-unlock db

The repository HEAD has a change involving mem_in_flight, which is
to record such areas so that gc() can mark them as 'used' and avoid
freeing them.
However, gc() may still move such areas.
While the areas are moved, the user of the area still refers to the
old location and would corrupt the memory.

It might be possible to fix gc() not to move the in-flight area.
But as such areas are likely at the tail of the target memory range of gc
and not moving them doesn't make much sense as it doesn't reclaim usable
areas.

The attached patch is to protect the allocate/set/add-cache operation
from gc.

   thread 1 (adding cache)      thread 2 (doing gc)
   --------------------------------------------------------------
   read-lock db
   data = mempool_alloc
   set the contents of 'data'
   cache_add(data)
   read-unlock db
                                write-lock db
                                mark areas referenced from cache entries
                                move them onto unmarked areas
                                write-unlock db

The problem can be reproducible with the test program attached to
the Bugzilla 9741.

-- 
           Summary: nscd cache corruption by garbage collection, leading to
                    segfault and/or stack overrun
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
        AssignedTo: drepper at redhat dot com
        ReportedBy: j-nomura at ce dot jp dot nec dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=9746

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Follow-Ups:
- [Bug nscd/9746] nscd cache corruption by garbage collection, leading to segfault and/or stack overrun
  - From: j-nomura at ce dot jp dot nec dot com
- [Bug nscd/9746] nscd cache corruption by garbage collection, leading to segfault and/or stack overrun
  - From: pasky at suse dot cz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]