This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nptl/20719] glibc: canceled pthread_cond_wait invokes wrong internal cleanup handler, leading to OOB write
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 20 Oct 2016 15:37:27 +0000
- Subject: [Bug nptl/20719] glibc: canceled pthread_cond_wait invokes wrong internal cleanup handler, leading to OOB write
- Auto-submitted: auto-generated
- References: <bug-20719-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=20719
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Root cause is this in libgcc/unwind-c.c:
145 int ip_before_insn = 0;
…
173 /* Parse the LSDA header. */
174 p = parse_lsda_header (context, language_specific_data, &info);
175 #ifdef HAVE_GETIPINFO
176 ip = _Unwind_GetIPInfo (context, &ip_before_insn);
177 #else
178 ip = _Unwind_GetIP (context);
179 #endif
180 if (! ip_before_insn)
181 --ip;
182 landing_pad = 0;
i386 is a !HAVE_GETIPINFO architecture, so !ip_before_insn is always true, and
we decrement ip.
This means that if SIGCANCEL hits at .Lsub_cond_futex/19 in pthread_cond_wait:
183 movl %ebp, %edx
184 addl $cond_futex, %ebx
185 .Ladd_cond_futex:
186 movl $SYS_futex, %eax
187 ENTER_KERNEL
188 subl $cond_futex, %ebx
189 .Lsub_cond_futex:
190
191 19: movl (%esp), %eax
192 call __pthread_disable_asynccancel
193 .LcleanupEND:
, the unwinder assumes that signal happened at the last byte of subl, *within*
the instruction range which calls __condvar_w_cleanup2.
--
You are receiving this mail because:
You are on the CC list for the bug.