This is the mail archive of the
mailing list for the glibc project.
[PATCH] nptl_db: Check TA in td_ta_map_lwp2thr()
- From: "Maciej W. Rozycki" <macro at codesourcery dot com>
- To: libc-alpha at sourceware dot org
- Cc: "Maciej W. Rozycki" <macro at linux-mips dot org>
- Date: Sat, 22 Aug 2009 00:56:45 +0100 (BST)
- Subject: [PATCH] nptl_db: Check TA in td_ta_map_lwp2thr()
While debugging a problem with gdbserver, it has come to my attention
that, while the caller shouldn't be deliberately passing an invalid thread
agent (TA) specifier to td_ta_map_lwp2thr(), this function should still
handle this case gracefully. The thread_db library this function belongs
to reserves the TD_BADTA error code for such a case and uses it with other
Now __td_ta_lookup_th_unique(), a helper function for td_ta_map_lwp2thr()
does validate the TA, but in the case of a NULL pointer it is not reached
as td_ta_map_lwp2thr() crashes while evaluating the following statement:
td_err_e err = DB_GET_SYMBOL (list, ta, __stack_user);
which is executed before the helper is reached.
The patch below fixes the problem for me. Note that the check cannot be
simply relocated here from __td_ta_lookup_th_unique(), because the helper
is referred to from elsewhere too (alternatively, the check might be
relocated to the other calling place -- please let me know if that would
be preferable; there's a small performance hit from doing the check twice,
but that does not affect code correctness).
This also brings up a conclusion this:
statement is misplaced (the helper can be reached from elsewhere or, if
actually called from td_ta_map_lwp2thr(), it may not be reached at all),
but this is a separate problem, not related to this issue.
2009-08-21 Maciej W. Rozycki <email@example.com>
* nptl_db/td_ta_map_lwp2thr.c (td_ta_map_lwp2thr): Validate the
thread agent specifier passed.
Regression-tested successfully, please apply.
diff --git a/nptl_db/td_ta_map_lwp2thr.c b/nptl_db/td_ta_map_lwp2thr.c
index 78cfcab..21626ac 100644
@@ -181,6 +181,10 @@ td_ta_map_lwp2thr (const td_thragent_t *ta_arg,
td_thragent_t *const ta = (td_thragent_t *) ta_arg;
+ /* Test whether the TA parameter is ok. */
+ if (! ta_ok (ta))
+ return TD_BADTA;
/* We cannot rely on thread registers and such information at all
before __pthread_initialize_minimal has gotten far enough. They
sometimes contain garbage that would confuse us, left by the kernel