[PATCH] librt: fix NULL pointer dereference (bug 28213)
Никита Попов
npv1310@gmail.com
Mon Aug 9 13:45:03 GMT 2021
Thanks for the feedback. Yes, I confirm that I'm the original author
of this patch. Here is the adjusted version. If necessary, I can write
proof-of-concept and attach it here.
пн, 9 авг. 2021 г. в 18:32, Siddhesh Poyarekar <siddhesh@gotplt.org>:
>
> On 8/9/21 6:51 PM, Siddhesh Poyarekar wrote:
> > On 8/9/21 5:55 PM, Никита Попов via Libc-alpha wrote:
> >> Helper thread frees copied attribute on NOTIFY_REMOVED message
> >> received from the OS kernel. Unfortunately, it fails to check whether
> >> copied attribute actually exists (data.attr != NULL). This worked
> >> earlier because free() checks passed pointer before actually
> >> attempting to release corresponding memory. But __pthread_attr_destroy
> >> assumes pointer is not NULL. So passing NULL pointer to
> >> __pthread_attr_destroy will result in segmentation fault. This
> >> scenario is possible if notification->sigev_notify_attributes == NULL
> >> (which means default thread attributes should be used).
> >
> > Thank you, the fix looks good to me. Do you have a test case to go with
> > it?
>
> Also, I don't know if you have an FSF copyright assignment, but it's no
> longer necessary. Please confirm that you're the original author and
> are authorized to contribute this patch by adding a DCO, i.e. add a
> Signed-off-by to indicate that. See also:
>
> https://developercertificate.org/
>
> Thanks,
> Siddhesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-librt-fix-NULL-pointer-dereference-bug-28213.patch
Type: text/x-patch
Size: 1606 bytes
Desc: not available
URL: <https://sourceware.org/pipermail/libc-alpha/attachments/20210809/883e218f/attachment-0001.bin>
More information about the Libc-alpha
mailing list