diff options
author | Carlos O'Donell <carlos@redhat.com> | 2017-01-28 19:13:34 -0500 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2017-01-28 19:21:44 -0500 |
commit | f8bf15febcaf137bbec5a61101e88cd5a9d56ca8 (patch) | |
tree | 77e4625039c3eb70b5dad4e1a1dcbb30517f3e60 /ChangeLog | |
parent | faf0e9c84119742dd9ebb79060faa22c52ae80a1 (diff) | |
download | glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.tar.gz glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.tar.xz glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.zip |
Bug 20116: Fix use after free in pthread_create()
The commit documents the ownership rules around 'struct pthread' and when a thread can read or write to the descriptor. With those ownership rules in place it becomes obvious that pd->stopped_start should not be touched in several of the paths during thread startup, particularly so for detached threads. In the case of detached threads, between the time the thread is created by the OS kernel and the creating thread checks pd->stopped_start, the detached thread might have already exited and the memory for pd unmapped. As a regression test we add a simple test which exercises this exact case by quickly creating detached threads with large enough stacks to ensure the thread stack cache is bypassed and the stacks are unmapped. Before the fix the testcase segfaults, after the fix it works correctly and completes without issue. For a detailed discussion see: https://www.sourceware.org/ml/libc-alpha/2017-01/msg00505.html
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index e468b59767..4e0d78851c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,36 @@ +2016-01-28 Carlos O'Donell <carlos@redhat.com> + Alexey Makhalov <amakhalov@vmware.com> + Florian Weimer <fweimer@redhat.com> + + [BZ #20116] + * nptl/pthread_create.c: Document concurrency notes. + Enhance thread creation notes. + (create_thread): Use bool *stopped_start. + (START_THREAD_DEFN): Comment ownership of PD. + (__pthread_create_2_1): Add local bool stopped_start and use + that instead of pd->stopped_start where appropriate. + * nptl/createthread.c (create_thread): Use bool *stopped_start. + * sysdeps/nacl/createthread.c (create_thread): Use bool *stopped_start. + * sysdeps/unix/sysv/linux/createthread.c (create_thread): Likewise. + * nptl/tst-create-detached.c: New file. + * nptl/Makefile (tests): Add tst-create-detached. + * nptl/pthread_getschedparam.c (__pthread_getschedparam): + Reference the enhanced thread creation notes. + * nptl/pthread_setschedparam.c (__pthread_setschedparam): Likewise. + * nptl/pthread_setschedprio.c (pthread_setschedprio): Likewise. + * nptl/tpp.c (__pthread_tpp_change_priority): Likewise. + (__pthread_current_priority): Likewise. + * support/Makefile (libsupport-routines): Add xpthread_attr_destroy + xpthread_attr_init, xpthread_attr_setdetachstate, and + xpthread_attr_setstacksize. + * support/xpthread_attr_destroy.c: New file. + * support/xpthread_attr_init.c: New file. + * support/xpthread_attr_setdetachstate.c: New file. + * support/xpthread_attr_setstacksize.c: New file. + * support/xthread.h: Define prototypes for xpthread_attr_destroy + xpthread_attr_init, xpthread_attr_setdetachstate, and + xpthread_attr_setstacksize. + 2017-01-27 Florian Weimer <fweimer@redhat.com> * nptl/Makefile (tests): Add tst-robust-fork. |