about summary refs log tree commit diff
path: root/NEWS
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2019-02-15 21:27:01 +0100
committerFlorian Weimer <fweimer@redhat.com>2019-02-15 21:27:01 +0100
commit067fc32968b601493f4b247a3ac00caeea3f3d61 (patch)
tree0e2b7618cbaefef297198842834e947b6bec4cb3 /NEWS
parentc096b008d2671028c21ac8cf01f18a2083e73c44 (diff)
downloadglibc-067fc32968b601493f4b247a3ac00caeea3f3d61.tar.gz
glibc-067fc32968b601493f4b247a3ac00caeea3f3d61.tar.xz
glibc-067fc32968b601493f4b247a3ac00caeea3f3d61.zip
nptl: Fix invalid Systemtap probe in pthread_join [BZ #24211]
After commit f1ac7455831546e5dca0ed98fe8af2686fae7ce6 ("arm: Use "nr"
constraint for Systemtap probes [BZ #24164]"), we load pd->result into
a register in the probe below:

      /* Free the TCB.  */
      __free_tcb (pd);
    }
  else
    pd->joinid = NULL;

  LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result);

However, at this point, the thread descriptor has been freed.  If the
thread stack does not fit into the thread stack cache, the memory will
have been unmapped, and the program will crash in the probe.

(cherry picked from commit bc10e22c90e42613bd5dafb77b80a9ea1759dd1b)
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS1
1 files changed, 1 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index dbcdd48502..340e06d0f4 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ The following bugs are resolved with this release:
   [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
   [24164] Systemtap probes need to use "nr" constraint on 32-bit Arm
   [24161] __run_fork_handlers self-deadlocks in malloc/tst-mallocfork2
+  [24211] Use-after-free in Systemtap probe in pthread_join
 
 Security related changes: