diff options
author | Carlos O'Donell <carlos@redhat.com> | 2017-01-28 19:13:34 -0500 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2017-01-28 19:21:44 -0500 |
commit | f8bf15febcaf137bbec5a61101e88cd5a9d56ca8 (patch) | |
tree | 77e4625039c3eb70b5dad4e1a1dcbb30517f3e60 /nptl/tst-create-detached.c | |
parent | faf0e9c84119742dd9ebb79060faa22c52ae80a1 (diff) | |
download | glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.zip glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.tar.gz glibc-f8bf15febcaf137bbec5a61101e88cd5a9d56ca8.tar.bz2 |
Bug 20116: Fix use after free in pthread_create()
The commit documents the ownership rules around 'struct pthread' and
when a thread can read or write to the descriptor. With those ownership
rules in place it becomes obvious that pd->stopped_start should not be
touched in several of the paths during thread startup, particularly so
for detached threads. In the case of detached threads, between the time
the thread is created by the OS kernel and the creating thread checks
pd->stopped_start, the detached thread might have already exited and the
memory for pd unmapped. As a regression test we add a simple test which
exercises this exact case by quickly creating detached threads with
large enough stacks to ensure the thread stack cache is bypassed and the
stacks are unmapped. Before the fix the testcase segfaults, after the
fix it works correctly and completes without issue.
For a detailed discussion see:
https://www.sourceware.org/ml/libc-alpha/2017-01/msg00505.html
Diffstat (limited to 'nptl/tst-create-detached.c')
-rw-r--r-- | nptl/tst-create-detached.c | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/nptl/tst-create-detached.c b/nptl/tst-create-detached.c new file mode 100644 index 0000000..ea93e44 --- /dev/null +++ b/nptl/tst-create-detached.c @@ -0,0 +1,137 @@ +/* Bug 20116: Test rapid creation of detached threads. + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; see the file COPYING.LIB. If + not, see <http://www.gnu.org/licenses/>. */ + +/* The goal of the test is to trigger a failure if the parent touches + any part of the thread descriptor after the detached thread has + exited. We test this by creating many detached threads with large + stacks. The stacks quickly fill the the stack cache and subsequent + threads will start to cause the thread stacks to be immediately + unmapped to satisfy the stack cache max. With the stacks being + unmapped the parent's read of any part of the thread descriptor will + trigger a segfault. That segfault is what we are trying to cause, + since any segfault is a defect in the implementation. */ + +#include <pthread.h> +#include <stdio.h> +#include <errno.h> +#include <unistd.h> +#include <stdbool.h> +#include <sys/resource.h> +#include <support/xthread.h> + +/* Number of threads to create. */ +enum { threads_to_create = 100000 }; + +/* Number of threads which should spawn other threads. */ +enum { creator_threads = 2 }; + +/* Counter of threads created so far. This is incremented by all the + running creator threads. */ +static unsigned threads_created; + +/* Thread callback which does nothing, so that the thread exits + immediatedly. */ +static void * +do_nothing (void *arg) +{ + return NULL; +} + +/* Attribute indicating that the thread should be created in a detached + fashion. */ +static pthread_attr_t detached; + +/* Barrier to synchronize initialization. */ +static pthread_barrier_t barrier; + +static void * +creator_thread (void *arg) +{ + int ret; + xpthread_barrier_wait (&barrier); + + while (true) + { + pthread_t thr; + /* Thread creation will fail if the kernel does not free old + threads quickly enough, so we do not report errors. */ + ret = pthread_create (&thr, &detached, do_nothing, NULL); + if (ret == 0 && __atomic_add_fetch (&threads_created, 1, __ATOMIC_SEQ_CST) + >= threads_to_create) + break; + } + + return NULL; +} + +static int +do_test (void) +{ + /* Limit the size of the process, so that memory allocation will + fail without impacting the entire system. */ + { + struct rlimit limit; + if (getrlimit (RLIMIT_AS, &limit) != 0) + { + printf ("FAIL: getrlimit (RLIMIT_AS) failed: %m\n"); + return 1; + } + /* This limit, 800MB, is just a heuristic. Any value can be + picked. */ + long target = 800 * 1024 * 1024; + if (limit.rlim_cur == RLIM_INFINITY || limit.rlim_cur > target) + { + limit.rlim_cur = target; + if (setrlimit (RLIMIT_AS, &limit) != 0) + { + printf ("FAIL: setrlimit (RLIMIT_AS) failed: %m\n"); + return 1; + } + } + } + + xpthread_attr_init (&detached); + + xpthread_attr_setdetachstate (&detached, PTHREAD_CREATE_DETACHED); + + /* A large thread stack seems beneficial for reproducing a race + condition in detached thread creation. The goal is to reach the + limit of the runtime thread stack cache such that the detached + thread's stack is unmapped after exit and causes a segfault when + the parent reads the thread descriptor data stored on the the + unmapped stack. */ + xpthread_attr_setstacksize (&detached, 16 * 1024 * 1024); + + xpthread_barrier_init (&barrier, NULL, creator_threads); + + pthread_t threads[creator_threads]; + + for (int i = 0; i < creator_threads; ++i) + threads[i] = xpthread_create (NULL, creator_thread, NULL); + + for (int i = 0; i < creator_threads; ++i) + xpthread_join (threads[i]); + + xpthread_attr_destroy (&detached); + + xpthread_barrier_destroy (&barrier); + + return 0; +} + +#include <support/test-driver.c> |