This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/12981] race in aio handle_fildes_io corrupts user memory

From: "renegat.nospam at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Tue, 19 Jul 2011 06:14:48 +0000
Subject: [Bug libc/12981] race in aio handle_fildes_io corrupts user memory
Auto-submitted: auto-generated
References: <bug-12981-131@http.sourceware.org/bugzilla/>

http://sourceware.org/bugzilla/show_bug.cgi?id=12981

renegat.nospam at gmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |renegat.nospam at gmail dot
                   |                            |com

--- Comment #1 from renegat.nospam at gmail dot com 2011-07-19 06:14:12 UTC ---
The call to  __aio_notify() should not be skipped, because even if the request
itself requires no notification, it could be associated with a waitlist that is
processed within __aio_notify(), if the request is part of an asynchronous
'lio_listio' operation.

Suggestions to fix this bug:

   - add additional parameter 'int error_code' to interface of __aio_notify()
   - at start of __aio_notify():
       1. save the value of field 'aio_sigevent.sigev_notify' to new local
          variable 'int notify'
       2. insert a read memory barrier afterwards
       3. assign aiocb field '__error_code' to value of parameter error_code
       4. skip call to __aio_notify_only() if notify is SIGEV_NONE
   - change the (only two) calls to __aio_notify() to pass the error code
     and remove previous assignment

or

   - add new field 'int sigev_notify' to 'struct requestlist'
   - within __aio_enqueue_request(): assign it with value of
     'aio_sigevent.sigev_notify'
   - within __aio_notify(): skip call to __aio_notify_only() if
     req->sigev_notify is SIGEV_NONE


There is also a race condition (only minor bug) within aio_cancel(): because a
user thread different from that who called aio_cancel() may poll aio_error()
and as soon as the return value is ECANCELED this thread can call aio_return(),
which may return a value other than -1 as required by POSIX standard.

'sysdeps/pthread/aio_cancel.c':

    int
    aio_cancel (fildes, aiocbp)
       int fildes;
       struct aiocb *aiocbp;
    {
        ...
        req->aiocbp->aiocb.__error_code = ECANCELED;
        req->aiocbp->aiocb.__return_value = -1;
        __aio_notify (req);
        ...
    }

Bug fixes here:

If the first bug fix is chosen above it will fix this bug automatically by
moving the assignment of '__error_code' within __aio_notify(), in the other
case: swap the two assignments and insert a write memory barrier in-between.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

References:
- [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory
  - From: dlbulk-sourcesredhat at yahoo dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]