aboutsummaryrefslogtreecommitdiff
path: root/nptl/createthread.c
diff options
context:
space:
mode:
authorCarlos O'Donell <carlos@redhat.com>2017-01-28 19:13:34 -0500
committerCarlos O'Donell <carlos@redhat.com>2017-01-28 19:21:44 -0500
commitf8bf15febcaf137bbec5a61101e88cd5a9d56ca8 (patch)
tree77e4625039c3eb70b5dad4e1a1dcbb30517f3e60 /nptl/createthread.c
parentfaf0e9c84119742dd9ebb79060faa22c52ae80a1 (diff)
downloadglibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.zip
glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.tar.gz
glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.tar.bz2
Bug 20116: Fix use after free in pthread_create()
The commit documents the ownership rules around 'struct pthread' and when a thread can read or write to the descriptor. With those ownership rules in place it becomes obvious that pd->stopped_start should not be touched in several of the paths during thread startup, particularly so for detached threads. In the case of detached threads, between the time the thread is created by the OS kernel and the creating thread checks pd->stopped_start, the detached thread might have already exited and the memory for pd unmapped. As a regression test we add a simple test which exercises this exact case by quickly creating detached threads with large enough stacks to ensure the thread stack cache is bypassed and the stacks are unmapped. Before the fix the testcase segfaults, after the fix it works correctly and completes without issue. For a detailed discussion see: https://www.sourceware.org/ml/libc-alpha/2017-01/msg00505.html
Diffstat (limited to 'nptl/createthread.c')
-rw-r--r--nptl/createthread.c10
1 files changed, 4 insertions, 6 deletions
diff --git a/nptl/createthread.c b/nptl/createthread.c
index 345f425..6c67b7e 100644
--- a/nptl/createthread.c
+++ b/nptl/createthread.c
@@ -25,16 +25,14 @@
static int
create_thread (struct pthread *pd, const struct pthread_attr *attr,
- bool stopped_start, STACK_VARIABLES_PARMS, bool *thread_ran)
+ bool *stopped_start, STACK_VARIABLES_PARMS, bool *thread_ran)
{
/* If the implementation needs to do some tweaks to the thread after
it has been created at the OS level, it can set STOPPED_START here. */
- pd->stopped_start = stopped_start;
- if (__glibc_unlikely (stopped_start))
- /* We make sure the thread does not run far by forcing it to get a
- lock. We lock it here too so that the new thread cannot continue
- until we tell it to. */
+ pd->stopped_start = *stopped_start;
+ if (__glibc_unlikely (*stopped_start))
+ /* See CONCURRENCY NOTES in nptl/pthread_create.c. */
lll_lock (pd->lock, LLL_PRIVATE);
return ENOSYS;