10643 – If pthread_create fails in aio_write, requests linked list is corrupted

Bug 10643 - If pthread_create fails in aio_write, requests linked list is corrupted

Summary: If pthread_create fails in aio_write, requests linked list is corrupted

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ulrich Drepper

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-09-15 21:40 UTC by Neil Vachharajani
Modified:	2014-07-01 06:50 UTC (History)
CC List:	2 users (show)

See Also:
Host:	i686/x86_64-unknown-linux-gnu
Target:	i686/x86_64-unknown-linux-gnu
Build:	i686/x86_64-unknown-linux-gnu
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Test case (589 bytes, text/plain) 2009-09-15 21:41 UTC, Neil Vachharajani	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Neil Vachharajani 2009-09-15 21:40:35 UTC

When one calls aio_write, it internally calls __aio_enqueue_request, which will 
in turn call aio_create_helper_thread.  If thread creation fails, the newly 
created request (newp in the code) will still be in the requests linked list, but 
it will be freed later in __aio_enqueue_request.  A subsequent call to aio_write 
will cause a segmentation fault.

This bug was found in glibc-2.3.6, however a manual inspection of the code in git 
reveals that the problem still exists.

Comment 1 Neil Vachharajani 2009-09-15 21:41:37 UTC

Created attachment 4198 [details]
Test case

If this is compiled with -DCRASH, then the program will segfault.  Otherwise,
it will work properly.

Comment 2 Ulrich Drepper 2009-10-30 04:02:34 UTC

There were a number of problems in that area.  I think I fixed them in git.