This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nptl/20116] use after free in pthread_create
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sun, 29 Jan 2017 01:09:17 +0000
- Subject: [Bug nptl/20116] use after free in pthread_create
- Auto-submitted: auto-generated
- References: <bug-20116-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=20116
--- Comment #13 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via f8bf15febcaf137bbec5a61101e88cd5a9d56ca8 (commit)
from faf0e9c84119742dd9ebb79060faa22c52ae80a1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f8bf15febcaf137bbec5a61101e88cd5a9d56ca8
commit f8bf15febcaf137bbec5a61101e88cd5a9d56ca8
Author: Carlos O'Donell <carlos@redhat.com>
Date: Sat Jan 28 19:13:34 2017 -0500
Bug 20116: Fix use after free in pthread_create()
The commit documents the ownership rules around 'struct pthread' and
when a thread can read or write to the descriptor. With those ownership
rules in place it becomes obvious that pd->stopped_start should not be
touched in several of the paths during thread startup, particularly so
for detached threads. In the case of detached threads, between the time
the thread is created by the OS kernel and the creating thread checks
pd->stopped_start, the detached thread might have already exited and the
memory for pd unmapped. As a regression test we add a simple test which
exercises this exact case by quickly creating detached threads with
large enough stacks to ensure the thread stack cache is bypassed and the
stacks are unmapped. Before the fix the testcase segfaults, after the
fix it works correctly and completes without issue.
For a detailed discussion see:
https://www.sourceware.org/ml/libc-alpha/2017-01/msg00505.html
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 33 +++++
nptl/Makefile | 2 +-
nptl/createthread.c | 10 +-
nptl/pthread_create.c | 207 +++++++++++++++++++++++++++-----
nptl/pthread_getschedparam.c | 1 +
nptl/pthread_setschedparam.c | 1 +
nptl/pthread_setschedprio.c | 1 +
nptl/tpp.c | 2 +
nptl/tst-create-detached.c | 137 +++++++++++++++++++++
support/Makefile | 4 +
support/xpthread_attr_destroy.c | 26 ++++
support/xpthread_attr_init.c | 25 ++++
support/xpthread_attr_setdetachstate.c | 27 ++++
support/xpthread_attr_setstacksize.c | 26 ++++
support/xthread.h | 6 +
sysdeps/nacl/createthread.c | 10 +-
sysdeps/unix/sysv/linux/createthread.c | 16 +--
17 files changed, 479 insertions(+), 55 deletions(-)
create mode 100644 nptl/tst-create-detached.c
create mode 100644 support/xpthread_attr_destroy.c
create mode 100644 support/xpthread_attr_init.c
create mode 100644 support/xpthread_attr_setdetachstate.c
create mode 100644 support/xpthread_attr_setstacksize.c
--
You are receiving this mail because:
You are on the CC list for the bug.