Bug 21031 - pthread_key_delete() race with thread finalization
Summary: pthread_key_delete() race with thread finalization
Status: UNCONFIRMED
Alias: None
Product: glibc
Classification: Unclassified
Component: nptl (show other bugs)
Version: 2.24
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-07 19:29 UTC by Leo Yuriev
Modified: 2018-03-28 12:17 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Leo Yuriev 2017-01-07 19:29:09 UTC
A race condition could occur between the pthread_key_delete() and the __nptl_deallocate_tsd().

For instance, __nptl_deallocate_tsd() could call a destructor for the key, immediately before the pthread_key_delete() invalidates it (from an another thread), and will continue destructor execution after the completion of pthread_key_delete().

From a user code this looks as if the corresponding destructor executes after the key has been removed by pthread_key_delete(), and there is no way to know whether was destructor called/executed or not.

Suggest add pthread_rwlock_rdlock() for __nptl_deallocate_tsd() and pthread_rwlock_wrlock() for pthread_key_delete().
Comment 1 Leo Yuriev 2018-03-28 12:17:11 UTC
Related to bugs 18136, 21032.