This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12981] race in aio handle_fildes_io corrupts user memory
- From: "renegat.nospam at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Tue, 19 Jul 2011 06:14:48 +0000
- Subject: [Bug libc/12981] race in aio handle_fildes_io corrupts user memory
- Auto-submitted: auto-generated
- References: <bug-12981-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=12981
renegat.nospam at gmail dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |renegat.nospam at gmail dot
| |com
--- Comment #1 from renegat.nospam at gmail dot com 2011-07-19 06:14:12 UTC ---
The call to __aio_notify() should not be skipped, because even if the request
itself requires no notification, it could be associated with a waitlist that is
processed within __aio_notify(), if the request is part of an asynchronous
'lio_listio' operation.
Suggestions to fix this bug:
- add additional parameter 'int error_code' to interface of __aio_notify()
- at start of __aio_notify():
1. save the value of field 'aio_sigevent.sigev_notify' to new local
variable 'int notify'
2. insert a read memory barrier afterwards
3. assign aiocb field '__error_code' to value of parameter error_code
4. skip call to __aio_notify_only() if notify is SIGEV_NONE
- change the (only two) calls to __aio_notify() to pass the error code
and remove previous assignment
or
- add new field 'int sigev_notify' to 'struct requestlist'
- within __aio_enqueue_request(): assign it with value of
'aio_sigevent.sigev_notify'
- within __aio_notify(): skip call to __aio_notify_only() if
req->sigev_notify is SIGEV_NONE
There is also a race condition (only minor bug) within aio_cancel(): because a
user thread different from that who called aio_cancel() may poll aio_error()
and as soon as the return value is ECANCELED this thread can call aio_return(),
which may return a value other than -1 as required by POSIX standard.
'sysdeps/pthread/aio_cancel.c':
int
aio_cancel (fildes, aiocbp)
int fildes;
struct aiocb *aiocbp;
{
...
req->aiocbp->aiocb.__error_code = ECANCELED;
req->aiocbp->aiocb.__return_value = -1;
__aio_notify (req);
...
}
Bug fixes here:
If the first bug fix is chosen above it will fix this bug automatically by
moving the assignment of '__error_code' within __aio_notify(), in the other
case: swap the two assignments and insert a write memory barrier in-between.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.