This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nptl/20116] use after free in pthread_create
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sat, 29 Dec 2018 00:37:43 +0000
- Subject: [Bug nptl/20116] use after free in pthread_create
- Auto-submitted: auto-generated
- References: <bug-20116-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=20116
--- Comment #18 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.24/master has been updated
via fcd316654a4510281fff32194b3b9f90e3dfab83 (commit)
from e853f05a5757dfee0c8b7f301e6a52047cc9864a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fcd316654a4510281fff32194b3b9f90e3dfab83
commit fcd316654a4510281fff32194b3b9f90e3dfab83
Author: Carlos O'Donell <carlos@redhat.com>
Date: Sat Jan 28 19:13:34 2017 -0500
Bug 20116: Fix use after free in pthread_create()
The commit documents the ownership rules around 'struct pthread' and
when a thread can read or write to the descriptor. With those ownership
rules in place it becomes obvious that pd->stopped_start should not be
touched in several of the paths during thread startup, particularly so
for detached threads. In the case of detached threads, between the time
the thread is created by the OS kernel and the creating thread checks
pd->stopped_start, the detached thread might have already exited and the
memory for pd unmapped. As a regression test we add a simple test which
exercises this exact case by quickly creating detached threads with
large enough stacks to ensure the thread stack cache is bypassed and the
stacks are unmapped. Before the fix the testcase segfaults, after the
fix it works correctly and completes without issue.
For a detailed discussion see:
https://www.sourceware.org/ml/libc-alpha/2017-01/msg00505.html
(cherry picked from commit f8bf15febcaf137bbec5a61101e88cd5a9d56ca8)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 33 +++++
NEWS | 1 +
nptl/Makefile | 3 +-
nptl/createthread.c | 10 +-
nptl/pthread_create.c | 207 +++++++++++++++++++++++++++-----
nptl/pthread_getschedparam.c | 1 +
nptl/pthread_setschedparam.c | 1 +
nptl/pthread_setschedprio.c | 1 +
nptl/tpp.c | 2 +
nptl/tst-create-detached.c | 137 +++++++++++++++++++++
sysdeps/nacl/createthread.c | 10 +-
sysdeps/unix/sysv/linux/createthread.c | 16 +--
12 files changed, 367 insertions(+), 55 deletions(-)
create mode 100644 nptl/tst-create-detached.c
--
You are receiving this mail because:
You are on the CC list for the bug.