aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2017-10-13 23:00:34 -0400
committerRich Felker <dalias@aerifal.cx>2017-10-13 23:00:34 -0400
commitc1e27367a9b26b9baac0f37a12349fc36567c8b6 (patch)
tree88accade820f5d320b504b517b043b951fec583e /src
parent907476925fca05f24ebca5fcdc21f1e58ba7b313 (diff)
downloadmusl-c1e27367a9b26b9baac0f37a12349fc36567c8b6.zip
musl-c1e27367a9b26b9baac0f37a12349fc36567c8b6.tar.gz
musl-c1e27367a9b26b9baac0f37a12349fc36567c8b6.tar.bz2
fix read-after-free type error in pthread_detach
calling __unlock on t->exitlock is not valid because __unlock reads the waiters count after making the atomic store that could allow pthread_exit to continue and unmap the thread's stack and the object t points to. for now, inline the __unlock logic with an unconditional futex wake operation so that the waiters count is not needed. once __lock/__unlock have been made safe for self-synchronized destruction, we could switch back to using them.
Diffstat (limited to 'src')
-rw-r--r--src/thread/pthread_detach.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/thread/pthread_detach.c b/src/thread/pthread_detach.c
index ed77f74..1348260 100644
--- a/src/thread/pthread_detach.c
+++ b/src/thread/pthread_detach.c
@@ -9,7 +9,8 @@ static int __pthread_detach(pthread_t t)
if (a_swap(t->exitlock, 1))
return __pthread_join(t, 0);
t->detached = 2;
- __unlock(t->exitlock);
+ a_store(t->exitlock, 0);
+ __wake(t->exitlock, 1, 1);
return 0;
}