diff options
| author | Carlos O'Donell <carlos@redhat.com> | 2017-01-28 19:13:34 -0500 |
|---|---|---|
| committer | Aurelien Jarno <aurelien@aurel32.net> | 2018-12-29 01:35:01 +0100 |
| commit | fcd316654a4510281fff32194b3b9f90e3dfab83 (patch) | |
| tree | c36afd14a49ef16dfff7b8743c4e982c0a5f655e /sysdeps/unix | |
| parent | e853f05a5757dfee0c8b7f301e6a52047cc9864a (diff) | |
| download | glibc-fcd316654a4510281fff32194b3b9f90e3dfab83.tar glibc-fcd316654a4510281fff32194b3b9f90e3dfab83.tar.gz glibc-fcd316654a4510281fff32194b3b9f90e3dfab83.tar.bz2 glibc-fcd316654a4510281fff32194b3b9f90e3dfab83.zip | |
Bug 20116: Fix use after free in pthread_create()
The commit documents the ownership rules around 'struct pthread' and
when a thread can read or write to the descriptor. With those ownership
rules in place it becomes obvious that pd->stopped_start should not be
touched in several of the paths during thread startup, particularly so
for detached threads. In the case of detached threads, between the time
the thread is created by the OS kernel and the creating thread checks
pd->stopped_start, the detached thread might have already exited and the
memory for pd unmapped. As a regression test we add a simple test which
exercises this exact case by quickly creating detached threads with
large enough stacks to ensure the thread stack cache is bypassed and the
stacks are unmapped. Before the fix the testcase segfaults, after the
fix it works correctly and completes without issue.
For a detailed discussion see:
https://www.sourceware.org/ml/libc-alpha/2017-01/msg00505.html
(cherry picked from commit f8bf15febcaf137bbec5a61101e88cd5a9d56ca8)
Diffstat (limited to 'sysdeps/unix')
| -rw-r--r-- | sysdeps/unix/sysv/linux/createthread.c | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/sysdeps/unix/sysv/linux/createthread.c b/sysdeps/unix/sysv/linux/createthread.c index ec86f50814..80b2cad54e 100644 --- a/sysdeps/unix/sysv/linux/createthread.c +++ b/sysdeps/unix/sysv/linux/createthread.c @@ -46,7 +46,7 @@ static int start_thread (void *arg) __attribute__ ((noreturn)); static int create_thread (struct pthread *pd, const struct pthread_attr *attr, - bool stopped_start, STACK_VARIABLES_PARMS, bool *thread_ran) + bool *stopped_start, STACK_VARIABLES_PARMS, bool *thread_ran) { /* Determine whether the newly created threads has to be started stopped since we have to set the scheduling parameters or set the @@ -54,13 +54,11 @@ create_thread (struct pthread *pd, const struct pthread_attr *attr, if (attr != NULL && (__glibc_unlikely (attr->cpuset != NULL) || __glibc_unlikely ((attr->flags & ATTR_FLAG_NOTINHERITSCHED) != 0))) - stopped_start = true; + *stopped_start = true; - pd->stopped_start = stopped_start; - if (__glibc_unlikely (stopped_start)) - /* We make sure the thread does not run far by forcing it to get a - lock. We lock it here too so that the new thread cannot continue - until we tell it to. */ + pd->stopped_start = *stopped_start; + if (__glibc_unlikely (*stopped_start)) + /* See CONCURRENCY NOTES in nptl/pthread_creat.c. */ lll_lock (pd->lock, LLL_PRIVATE); /* We rely heavily on various flags the CLONE function understands: @@ -117,7 +115,7 @@ create_thread (struct pthread *pd, const struct pthread_attr *attr, /* Set the affinity mask if necessary. */ if (attr->cpuset != NULL) { - assert (stopped_start); + assert (*stopped_start); res = INTERNAL_SYSCALL (sched_setaffinity, err, 3, pd->tid, attr->cpusetsize, attr->cpuset); @@ -140,7 +138,7 @@ create_thread (struct pthread *pd, const struct pthread_attr *attr, /* Set the scheduling parameters. */ if ((attr->flags & ATTR_FLAG_NOTINHERITSCHED) != 0) { - assert (stopped_start); + assert (*stopped_start); res = INTERNAL_SYSCALL (sched_setscheduler, err, 3, pd->tid, pd->schedpolicy, &pd->schedparam); |