Bug 15142 - Missing locking in _IO_cleanup
Summary: Missing locking in _IO_cleanup
Alias: None
Product: glibc
Classification: Unclassified
Component: stdio (show other bugs)
Version: 2.3.4
: P2 normal
Target Milestone: 2.38
Assignee: Not yet assigned to anyone
: 30510 (view as bug list)
Depends on:
Reported: 2013-02-13 13:12 UTC by Andreas Schwab
Modified: 2023-07-03 09:08 UTC (History)
3 users (show)

See Also:
Last reconfirmed:
fweimer: security-

Testcase (321 bytes, text/x-csrc)
2013-02-13 13:12 UTC, Andreas Schwab

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schwab 2013-02-13 13:12:21 UTC
Created attachment 6870 [details]

When _IO_flush_all_lockp is called from _IO_cleanup it doesn't do any locking on _IO_list_all, which races with fopen/fclose from other threads.  This can result in heap corruption.
Comment 1 Rich Felker 2013-02-14 20:12:54 UTC
I have two related issues open on the Austin Group bug tracker:


Unfortunately, I believe the current glibc behavior of not performing appropriate locking is intentional, so that exit works even when locks would/should block exit. This is contrary to the requirements of the standard and harmful to applications that have expectations on the atomicity/integrity of stdio operations performed under lock.
Comment 2 Andreas Schwab 2014-03-25 09:23:54 UTC
Doesn't seem any recent progress on the issues.
Comment 3 Sourceware Commits 2017-10-05 15:43:39 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  19f82f358670f4b80533156b9edbf81223358bf9 (commit)
      from  91e7cf982d0104f0e71770f5ae8e3faf352dea9f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------

commit 19f82f358670f4b80533156b9edbf81223358bf9
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Aug 21 16:07:29 2017 +0200

    Always do locking when iterating over list of streams (bug 15142)
    _IO_list_all should only be traversed while locking list_all_lock.


Summary of changes:
 ChangeLog      |    8 +++++++
 libio/genops.c |   60 ++++++++++++++++---------------------------------------
 2 files changed, 26 insertions(+), 42 deletions(-)
Comment 4 Paul Pluzhnikov 2023-06-04 22:16:03 UTC
*** Bug 30510 has been marked as a duplicate of this bug. ***
Comment 5 Florian Weimer 2023-07-03 09:08:46 UTC
Fixed for 2.38 via:

commit af130d27099651e0d27b2cf2cfb44dafd6fe8a26
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Jan 30 10:16:00 2018 +0100

    Always do locking when accessing streams (bug 15142, bug 14697)
    Now that abort no longer calls fflush there is no reason to avoid locking
    the stdio streams anywhere.  This fixes a conformance issue and potential
    heap corruption during exit.