This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory
- From: "dlbulk-sourcesredhat at yahoo dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Mon, 11 Jul 2011 15:39:46 +0000
- Subject: [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=12981
Summary: race in aio handle_fildes_io corrupts user memory
Product: glibc
Version: 2.14
Status: NEW
Severity: critical
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: dlbulk-sourcesredhat@yahoo.com
sysdeps/pthread/aio_misc.c:
603 if (aiocbp->aiocb.__return_value == -1)
604 aiocbp->aiocb.__error_code = errno;
605 else
606 aiocbp->aiocb.__error_code = 0;
607
608 /* Send the signal to notify about finished processing of the
609 request. */
610 __aio_notify (runp);
Once aiocb.__error_code is set, a user thread could be polling aio_error and
aio_return to process the completed io. aiocbp could be freed in this process.
However, __aio_notify dereferences and modifies this memory:
sysdeps/pthread/aio_notify.c:
128 #ifdef BROKEN_THREAD_SIGNALS
129 if (__aio_notify_only (&aiocbp->aio_sigevent, req->caller_pid) != 0)
130 #else
131 if (__aio_notify_only (&aiocbp->aio_sigevent) != 0)
132 #endif
133 {
134 /* XXX What shall we do if already an error is set by
135 read/write/fsync? */
136 aiocbp->__error_code = errno;
137 aiocbp->__return_value = -1;
138 }
To fix this race, __aio_notify should be skipped if
aiocbp->aio_sigevent.sigev_notify is SIGEV_NONE.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.