Bug 10643

Summary:	If pthread_create fails in aio_write, requests linked list is corrupted
Product:	glibc	Reporter:	Neil Vachharajani <nvachhar>
Component:	libc	Assignee:	Ulrich Drepper <drepper.fsp>
Status:	RESOLVED FIXED
Severity:	normal	CC:	glibc-bugs, ppluzhnikov
Priority:	P2	Flags:	fweimer: security-
Version:	unspecified
Target Milestone:	---
Host:	i686/x86_64-unknown-linux-gnu	Target:	i686/x86_64-unknown-linux-gnu
Build:	i686/x86_64-unknown-linux-gnu	Last reconfirmed:
Attachments:	Test case

Description Neil Vachharajani 2009-09-15 21:40:35 UTC

When one calls aio_write, it internally calls __aio_enqueue_request, which will 
in turn call aio_create_helper_thread.  If thread creation fails, the newly 
created request (newp in the code) will still be in the requests linked list, but 
it will be freed later in __aio_enqueue_request.  A subsequent call to aio_write 
will cause a segmentation fault.

This bug was found in glibc-2.3.6, however a manual inspection of the code in git 
reveals that the problem still exists.

Comment 1 Neil Vachharajani 2009-09-15 21:41:37 UTC

Created attachment 4198 [details]
Test case

If this is compiled with -DCRASH, then the program will segfault.  Otherwise,
it will work properly.

Comment 2 Ulrich Drepper 2009-10-30 04:02:34 UTC

There were a number of problems in that area.  I think I fixed them in git.