diff options
author | Sergey Bugaev <bugaevc@gmail.com> | 2023-05-17 22:14:32 +0300 |
---|---|---|
committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2023-05-17 22:59:50 +0200 |
commit | c7fcce38c83a2bb665ef5dc4981bf20c7e586123 (patch) | |
tree | 5f8c474fc9c8af09835e720f74060b1b1b27d23b /sysdeps/mach/hurd/i386/tls.h | |
parent | aa19c68d2bdf3a831894f609b8ac5c8f123268b2 (diff) | |
download | glibc-c7fcce38c83a2bb665ef5dc4981bf20c7e586123.tar.gz glibc-c7fcce38c83a2bb665ef5dc4981bf20c7e586123.tar.xz glibc-c7fcce38c83a2bb665ef5dc4981bf20c7e586123.zip |
hurd: Make sure to not use tcb->self
Unlike sigstate->thread, tcb->self did not hold a Mach port reference on the thread port it names. This means that the port can be deallocated, and the name reused for something else, without anyone noticing. Using tcb->self will then lead to port use-after-free. Fortunately nothing was accessing tcb->self, other than it being intially set to then-valid thread port name upon TCB initialization. To assert that this keeps being the case without altering TCB layout, rename self -> self_do_not_use, and stop initializing it. Also, do not (re-)allocate a whole separate and unused stack for the main thread, and just exit __pthread_setup early in this case. Found upon attempting to use tcb->self and getting unexpected crashes. Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-Id: <20230517191436.73636-7-bugaevc@gmail.com>
Diffstat (limited to 'sysdeps/mach/hurd/i386/tls.h')
-rw-r--r-- | sysdeps/mach/hurd/i386/tls.h | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/sysdeps/mach/hurd/i386/tls.h b/sysdeps/mach/hurd/i386/tls.h index e124fb10e9..ba283008a8 100644 --- a/sysdeps/mach/hurd/i386/tls.h +++ b/sysdeps/mach/hurd/i386/tls.h @@ -32,7 +32,7 @@ typedef struct { void *tcb; /* Points to this structure. */ dtv_t *dtv; /* Vector of pointers to TLS data. */ - thread_t self; /* This thread's control port. */ + thread_t self_do_not_use; /* This thread's control port. */ int multiple_threads; uintptr_t sysinfo; uintptr_t stack_guard; @@ -419,7 +419,6 @@ _hurd_tls_new (thread_t child, tcbhead_t *tcb) HURD_TLS_DESC_DECL (desc, tcb); tcb->tcb = tcb; - tcb->self = child; if (HURD_SEL_LDT (sel)) err = __i386_set_ldt (child, sel, &desc, 1); |