This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nptl/20116] New: use after free in pthread_create
- From: "250716887 at qq dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 19 May 2016 02:07:18 +0000
- Subject: [Bug nptl/20116] New: use after free in pthread_create
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20116
Bug ID: 20116
Summary: use after free in pthread_create
Product: glibc
Version: 2.3.3
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: nptl
Assignee: unassigned at sourceware dot org
Reporter: 250716887 at qq dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
I tested on ubuntu 16.04 mongodb 3.2.5, caught a SIGSEGV in
__pthread_create_2_1,
709 else
710 {
711 if (pd->stopped_start)
712 /* The thread blocked on this lock either because we're doing
TD_CREATE
713 event reporting, or for some other reason that create_thread
chose.
714 Now let it run free. */
715 lll_unlock (pd->lock, LLL_PRIVATE);
on line 711 pd was already freed.
I use systemtap to find the root cause of sigsegv, and find that the created
child thread die before pthread_create return, the tcb pointed to by pd
variable was destroyed and munmaped in the created child thread.
If the freed tcb memory was used by other thread in the interval before
pthread_create return, it maybe cause a security bug.
--
You are receiving this mail because:
You are on the CC list for the bug.