This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nptl/20719] New: glibc: canceled pthread_cond_wait invokes wrong internal cleanup handler, leading to OOB write
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 19 Oct 2016 18:04:16 +0000
- Subject: [Bug nptl/20719] New: glibc: canceled pthread_cond_wait invokes wrong internal cleanup handler, leading to OOB write
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20719
Bug ID: 20719
Summary: glibc: canceled pthread_cond_wait invokes wrong
internal cleanup handler, leading to OOB write
Product: glibc
Version: 2.22
Status: NEW
Severity: normal
Priority: P2
Component: nptl
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Target: i686
Flags: security?
Created attachment 9581
--> https://sourceware.org/bugzilla/attachment.cgi?id=9581&action=edit
tst-cancel-cond.c
The attached test case occasionally writes to info.pad member during the
pthread_cond_wait function call, and not to the info.cond and info.mutex
members.
The proximate cause is that __condvar_w_cleanup2 is called with the original
(not incremented) value of %ebx.
I can reproduce the stray write under GDB with a hardware watchpoint on
info.pad, or with a conditional breakpoint on __condvar_w_cleanup2, checking
for the expected value of %ebx.
The root cause is still unclear. It happens with a wide range of glibc
versions. We initially saw this on a 2.12-derived glibc without the fix for
bug 14477, compiled with 4.4.7-derived GCC. I can reproduce it on Fedora 2.23
i386 (glibc 2.22, GCC 5.3.1). Potential root causes are incorrect register
restoration in the unwind code (both glibc and libgcc), or invalid manually
written unwind data in pthread_cond_wait.S.
--
You are receiving this mail because:
You are on the CC list for the bug.