pthread_create leaves valid mutex pointers on the stack
Jonathan Lennox
lennox@cs.columbia.edu
Thu Mar 16 17:03:00 GMT 2006
Cygwin's pthread_create function leaves a pointer to the pthread object's
mutex member on the stack.
If you subsequently call pthread_mutex_init on mutex in an automatic
variable, it's possible for it to reuse this stack slot. In this case,
pthread_mutex_init observes that the mutex object is a pointer to a valid
mutex object, and fails with EBUSY.
This program illustrates the problem, with cygwin 1.5.19-4 and gcc 3.4.4-1:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: PthreadStackMutex.c
URL: <http://cygwin.com/pipermail/cygwin/attachments/20060316/fd29d9a2/attachment.c>
-------------- next part --------------
In general, the idea of verifying objects on their init functions seems
dubious to me -- how can you tell initialized objects from random stack or
heap garbage? In particular, it seems like this is an area where an
attacker could potentially cause odd effects by causing the pthread objects'
magic numbers to be written to the stack or heap in memory that is
subsequently re-used.
--
Jonathan Lennox
lennox at cs dot columbia dot edu
-------------- next part --------------
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list