Bug 19957 - clone(CLONE_VM) access invalid parent memory
Summary: clone(CLONE_VM) access invalid parent memory
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.24
: P2 normal
Target Milestone: 2.24
Assignee: Adhemerval Zanella
URL:
Keywords:
: 19859 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-04-15 19:40 UTC by Adhemerval Zanella
Modified: 2017-03-28 04:24 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adhemerval Zanella 2016-04-15 19:40:31 UTC
As stated in previous bug reports [1] [2] [3], clone(CLONE_VM) reset the pthread pid/tid to -1 leading to inconsistent internal state.

This has not been an issue since clone itself is a trick syscall when used along with glibc (since glibc requires consistent pthread internal state), however recent posix_spawn shown this issue because it using internally clone(CLONE_VM) in a controlled way (just to spawn the new thread).

In the libc-alpha mailist [4] discussion was raised the question why exactly clone(CLONE_VM) requires to clear the pthread and it was concluded that in fact it is wrong to mess with parent's thread structure. The proposed solution is, like CLONE_THREAD, avoid to clear the pid/tid fields for CLONE_VM.

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=10311
[2] https://sourceware.org/bugzilla/show_bug.cgi?id=18006
[3] https://sourceware.org/bugzilla/show_bug.cgi?id=18862
[4] https://sourceware.org/ml/libc-alpha/2016-04/msg00307.html
Comment 1 Florian Weimer 2016-04-25 14:32:10 UTC
This breaks recursive mutexes after a call to posix_spawn.
Comment 2 Adhemerval Zanella 2016-04-25 14:37:51 UTC
I have sent a third version with a proposed fix to all architectures [1]. The fixes for alpha, microblaze, sh, ia64, tile, hppa, m68k, and nios2 have not been tested I would appreciate any possible review.

[1] https://sourceware.org/ml/libc-alpha/2016-04/msg00564.html
Comment 3 Adhemerval Zanella 2016-04-29 21:23:36 UTC
Fixed by 0cb313f7cb0e418b3d56f3a2ac69790522ab825d.
Comment 4 Adhemerval Zanella 2016-05-30 13:11:25 UTC
*** Bug 19859 has been marked as a duplicate of this bug. ***
Comment 5 Andrei Vagin 2017-03-28 00:19:51 UTC
The fix for this bug breaks backward compatibility.
https://bugzilla.redhat.com/show_bug.cgi?id=1436446
Comment 7 Andrei Vagin 2017-03-28 01:07:29 UTC
commit c579f48edba88380635ab98cb612030e3ed8691e
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Mon Oct 10 15:08:39 2016 -0300

    Remove cached PID/TID in clone
Comment 8 Adhemerval Zanella 2017-03-28 04:24:22 UTC
As you noted it was fixed by c579f48 (Remove cached PID/TID in clone) on master by removing the Linux getpid implementation altogether (and then use the auto-generation syscall).  I think for 2.24 the straightforward fix is just remove getpid Linux implementation.