This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug nptl/19511] 8MB memory leak in pthread_create in case of failure when non-root user changes priority

From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 25 Jan 2016 15:17:50 +0000
Subject: [Bug nptl/19511] 8MB memory leak in pthread_create in case of failure when non-root user changes priority
Auto-submitted: auto-generated
References: <bug-19511-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=19511

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
What happens is that the thread created âstoppedâ (so that the priorities can
be applied before the thread function is started), but we fail to take into
account that the thread could be canceled in the stopped phase.  Then the
thread will never be joined, so its thread stack is never flagged for re-use.

A fix could perhaps look like this, but the existing cancellation handling
looks racy: What happens if SIGCANCEL arrives before the handler is set up? 
Can SIGCANCEL be lost?

diff --git a/nptl/pthread_create.c b/nptl/pthread_create.c
index 5216041..69e5bc6 100644
--- a/nptl/pthread_create.c
+++ b/nptl/pthread_create.c
@@ -308,6 +308,7 @@ START_THREAD_DEFN
   unwind_buf.priv.data.cleanup = NULL;

   int not_first_call;
+  bool start_routine_called = false;
   not_first_call = setjmp ((struct __jmp_buf_tag *)
unwind_buf.cancel_jmp_buf);
   if (__glibc_likely (! not_first_call))
     {
@@ -329,6 +330,7 @@ START_THREAD_DEFN
       LIBC_PROBE (pthread_start, 3, (pthread_t) pd, pd->start_routine,
pd->arg);

       /* Run the code the user provided.  */
+      start_routine_called = true;
 #ifdef CALL_THREAD_FCT
       THREAD_SETMEM (pd, result, CALL_THREAD_FCT (pd));
 #else
@@ -435,7 +437,7 @@ START_THREAD_DEFN
     __madvise (pd->stackblock, freesize - PTHREAD_STACK_MIN, MADV_DONTNEED);

   /* If the thread is detached free the TCB.  */
-  if (IS_DETACHED (pd))
+  if (IS_DETACHED (pd) || !start_routine_called)
     /* Free the TCB.  */
     __free_tcb (pd);
   else if (__glibc_unlikely (pd->cancelhandling & SETXID_BITMASK))

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug nptl/19511] New: 8MB memory leak in pthread_create in case of failure when non-root user changes priority
  - From: yut616 at sohu dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]