Bug 23532 - race condition in muntrace
Summary: race condition in muntrace
Status: RESOLVED WONTFIX
Alias: None
Product: glibc
Classification: Unclassified
Component: malloc (show other bugs)
Version: 2.17
: P2 enhancement
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-15 21:02 UTC by jeremy.lin
Modified: 2018-10-25 07:41 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jeremy.lin 2018-08-15 21:02:02 UTC 
On a CentOS 7 system (glibc 2.17), I ran into a crash that appears to be due to muntrace() setting a file pointer to NULL when it could still be in use. The issue still exists in the master branch.

From https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/mtrace.c;h=9064f209ec3b24c6b341a31fe8acfe98580a59ba;hb=refs/heads/master#l340

330 void
331 muntrace (void)
332 {
333   if (mallstream == NULL)
334     return;
335 
336   /* Do the reverse of what done in mtrace: first reset the hooks and
337      MALLSTREAM, and only after that write the trailer and close the
338      file.  */
339   FILE *f = mallstream;
340   mallstream = NULL;
341   __free_hook = tr_old_free_hook;
342   __malloc_hook = tr_old_malloc_hook;
343   __realloc_hook = tr_old_realloc_hook;
344   __memalign_hook = tr_old_memalign_hook;
345 
346   fprintf (f, "= End\n");
347   fclose (f);
348 }

Here, `mallstream` is being set to NULL before the old hook functions are restored, so the tracing hook functions are still in place and potentially trying to use `mallstream` (from another thread).

Nulling `mallstream` later would make this race less likely, but could presumably still be an issue if another thread were already inside one of the hook functions. I realize mtrace/muntrace are marked MT-Unsafe, so I guess this is more of a nice-to-have change than a real bug.

For reference, my backtrace was:

#0  _IO_vfprintf_internal (s=0x0, format=0x7f86d961ee9c "@ %s%s%s[%p] ", ap=ap@entry=0x7f86b06d2218)
    at vfprintf.c:1271
#1  0x00007f86d94f1827 in __fprintf (stream=<optimized out>, 
    format=format@entry=0x7f86d961ee9c "@ %s%s%s[%p] ") at fprintf.c:32
#2  0x00007f86d95242e5 in tr_where (caller=caller@entry=0x7f86d9567f9b <re_dfa_add_node+347>, 
    info=info@entry=0x7f86b06d2320) at mtrace.c:110
#3  0x00007f86d9524588 in tr_reallochook (ptr=0x7f86a96657e0, size=416, 
    caller=0x7f86d9567f9b <re_dfa_add_node+347>) at mtrace.c:220
#4  0x00007f86d9567f9b in re_dfa_add_node (dfa=0x7f86a9671f80, token=...) at regex_internal.c:1433
#5  0x00007f86d9579704 in calc_first (node=0x7f86a95fed48, extra=<optimized out>) at regcomp.c:1375
#6  postorder (fn=0x7f86d956c180 <calc_first>, extra=0x7f86a9671f80, root=<optimized out>) at regcomp.c:1226
#7  analyze (preg=<optimized out>) at regcomp.c:1180
#8  re_compile_internal (preg=preg@entry=0x7f86b06d2540, pattern=pattern@entry=0x7759d7 "^[0-9]{1,6}$", 
    length=<optimized out>, syntax=syntax@entry=242428) at regcomp.c:797
#9  0x00007f86d957aa50 in __regcomp (preg=preg@entry=0x7f86b06d2540, pattern=0x7759d7 "^[0-9]{1,6}$", 
    cflags=cflags@entry=1) at regcomp.c:499
[...snip...]
Comment 1 Carlos O'Donell 2018-08-15 23:08:42 UTC 
Thank you very much for filling the bug! We do appreciate suggestions like this.

For now I'm marking this RESOLVED/WONTFIX. We are not going to fix this with the hooks interface. Soon the hooks will be deprecated and usable only with LD_PRELOAD=libmalloc-extras.so (when my patch for this goes in upstream).

For now muntrace is marked MT-unsafe and cannot be used with threads. When we get a thread-safe backend we will adjust the safety markup. I expect the new tracer will be based on the trace infrastructure the Red Hat team (DJ, Florian, myself) made for trace/simulation, since that's thread safe.