This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/18192] New: dlerror not thread-safe when libpthread loaded through dlopen

From: "william at 25thandClement dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Wed, 01 Apr 2015 21:42:32 +0000
Subject: [Bug dynamic-link/18192] New: dlerror not thread-safe when libpthread loaded through dlopen
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=18192

            Bug ID: 18192
           Summary: dlerror not thread-safe when libpthread loaded through
                    dlopen
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: william at 25thandClement dot com

Created attachment 8223
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8223&action=edit
Tickle dlerror from multiple threads

__dlerror and _dlerror_run in dlfcn.h will use a shared, static buffer if
pthreads is not present when initializing internal state. And they continue
using the shared buffer even after pthreads is loaded. This can result in
double frees, NULL pointer dereferences, and other fun.

I ran into this bug via a Lua module. No Lua interpreter shipped on a major
distribution links the interpreter against libpthread.so. However, there are
many Lua modules which use pthreads and cause libpthread to be linked in via
dlopen. If dlopen/dlclose are used from multiple threads (e.g. spinning up new
Lua VMs in the threads, which will then load modules), then you can trigger
this bug. You're much more likely to encounter problems if the threads are
short-lived and the Lua interpreters unload their modules via dlclose, or if
they try to load non-existent modules.

Attached is a simple proof of concept in plain C. It loads libpthread using
dlopen("libpthread.so.0", RTLD_GLOBAL), spins up multiple threads, and from
each thread tickles dlerror by repeatedly attempting to open non-existent
libraries.

Note that Lua modules are usually loaded RTLD_LOCAL, so that might complicate
any solution.

FWIW, strsignal.c has this same problem. where_is_shmfs in shm_open.c also has
an initialization race. gaiconf_init in getaddrinfo.c might be subject to a
race, but I couldn't quickly determine which globals it accesses.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug dynamic-link/18192] dlerror not thread-safe when libpthread loaded through dlopen
  - From: william at 25thandClement dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]