Cygwin: Fix cygheap corruption caused by cloned atomic buffer

The fhandler_base_overlapped::copyto clears atomic_write_buf on the
clone, but none of the derived classes were doing this.  This allowed
the destructor to double-free the buffer and corrupt cygheap.
Clear atomic_write_buf in copyto of all derived classes.

diff --git a/winsup/cygwin/fhandler.h b/winsup/cygwin/fhandler.h
index 2cc99d7130c623e657bdbe7245001b8abd204e45..9e63867ab575283c23c13ccf6560c5156e3784f6 100644 (file)
--- a/winsup/cygwin/fhandler.h
+++ b/winsup/cygwin/fhandler.h
@@ -1216,6 +1216,7 @@ public:
   {
     x->pc.free_strings ();
     *reinterpret_cast<fhandler_pipe *> (x) = *this;
+    reinterpret_cast<fhandler_pipe *> (x)->atomic_write_buf = NULL;
     x->reset (this);
   }
 
@@ -1256,6 +1257,7 @@ public:
   {
     x->pc.free_strings ();
     *reinterpret_cast<fhandler_fifo *> (x) = *this;
+    reinterpret_cast<fhandler_fifo *> (x)->atomic_write_buf = NULL;
     x->reset (this);
   }
 

diff --git a/winsup/cygwin/release/2.11.2 b/winsup/cygwin/release/2.11.2
index c8d81d45b4e0e516cfab6f36e604353844300414..b9ccc5c67f3598e32f04693f80237659512bc104 100644 (file)
--- a/winsup/cygwin/release/2.11.2
+++ b/winsup/cygwin/release/2.11.2
@@ -11,3 +11,6 @@ Bug Fixes
 
 - Return ESPIPE rather than EINVAL from lseek on a fifo.
   Addresses: https://cygwin.com/ml/cygwin/2018-10/msg00019.html
+
+- Fix a memory corruption when using pipes or FIFOs
+  Addresses: https://cygwin.com/ml/cygwin-patches/2018-q4/msg00000.html