AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-09-20 00:19:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

nptl: Fix invalid Systemtap probe in pthread_join [BZ #24211]

Browse Source 
After commit f1ac745583 ("arm: Use "nr"
constraint for Systemtap probes [BZ #24164]"), we load pd->result into
a register in the probe below:

      /* Free the TCB.  */
      __free_tcb (pd);
    }
  else
    pd->joinid = NULL;

  LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result);

However, at this point, the thread descriptor has been freed.  If the
thread stack does not fit into the thread stack cache, the memory will
have been unmapped, and the program will crash in the probe.

(cherry picked from commit bc10e22c90)
This commit is contained in:
Florian Weimer 2019-02-15 21:27:01 +01:00
parent c096b008d2
commit 067fc32968
3 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
2019-02-15 Florian Weimer <fweimer@redhat.com>
[BZ #24211]
* nptl/pthread_join_common.c (__pthread_timedjoin_ex): Do not read
pd->result after the thread descriptor has been freed.
2019-02-08 Florian Weimer <fweimer@redhat.com>
[BZ #24161]

1
NEWS
View File

@ -12,6 +12,7 @@ The following bugs are resolved with this release:
[24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
[24164] Systemtap probes need to use "nr" constraint on 32-bit Arm
[24161] __run_fork_handlers self-deadlocks in malloc/tst-mallocfork2
[24211] Use-after-free in Systemtap probe in pthread_join
Security related changes:

5
nptl/pthread_join_common.c
View File

@ -86,6 +86,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return,
pthread_cleanup_pop (0);
}
void *pd_result = pd->result;
if (__glibc_likely (result == 0))
{
/* We mark the thread as terminated and as joined. */
@ -93,7 +94,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return,
/* Store the return value if the caller is interested. */
if (thread_return != NULL)
*thread_return = pd->result;
*thread_return = pd_result;
/* Free the TCB. */
__free_tcb (pd);
@ -101,7 +102,7 @@ __pthread_timedjoin_ex (pthread_t threadid, void **thread_return,
else
pd->joinid = NULL;
LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd->result);
LIBC_PROBE (pthread_join_ret, 3, threadid, result, pd_result);
return result;
}