diff options
author | Takashi Yano <takashi.yano@nifty.ne.jp> | 2023-08-04 17:45:34 +0900 |
---|---|---|
committer | Takashi Yano <takashi.yano@nifty.ne.jp> | 2023-08-04 17:49:29 +0900 |
commit | 3b4f6217c371cf70d5ec5137436cfa5892bb45e8 (patch) | |
tree | 5b02f7f74808559ef59e53b6d29a719302290244 /winsup | |
parent | ab78bd2d228027d0ac5a84bfc409444d3ce18948 (diff) | |
download | newlib-3b4f6217c371cf70d5ec5137436cfa5892bb45e8.zip newlib-3b4f6217c371cf70d5ec5137436cfa5892bb45e8.tar.gz newlib-3b4f6217c371cf70d5ec5137436cfa5892bb45e8.tar.bz2 |
Cygwin: pty: Fix thread safety of readahead buffer handling in pty master.
Previously, though readahead buffer handling in pty master was not
fully thread-safe, accept_input() was called from peek_pipe() thread
in select.cc. This caused the problem reported in:
https://cygwin.com/pipermail/cygwin/2023-July/253984.html
The mechanism of the problem is:
1) accept_input() which is called from peek_pipe() thread calls
eat_readahead(-1) before reading readahead buffer. This allows
writing to the readahead buffer from another (main) thread.
2) The main thread calls fhandler_pty_master::write() just after
eat_readahead(-1) was called and before reading the readahead
buffer by accept_input() called from peek_pipe() thread. This
overwrites the readahead buffer.
3) The read result from readahead buffer which was overwritten is
sent to the slave.
This patch makes readahead buffer handling fully thread-safe using
input_mutex to resolve this issue.
Fixes: 7b03b0d8cee0 ("select.cc (peek_pipe): Call flush_to_slave whenever we're checking for a pty master.")
Reported-by: Thomas Wolff <towo@towo.net>
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
Diffstat (limited to 'winsup')
-rw-r--r-- | winsup/cygwin/fhandler/pty.cc | 10 | ||||
-rw-r--r-- | winsup/cygwin/local_includes/fhandler.h | 8 |
2 files changed, 13 insertions, 5 deletions
diff --git a/winsup/cygwin/fhandler/pty.cc b/winsup/cygwin/fhandler/pty.cc index 8b8c42b..db3b77e 100644 --- a/winsup/cygwin/fhandler/pty.cc +++ b/winsup/cygwin/fhandler/pty.cc @@ -436,8 +436,10 @@ static int osi; void fhandler_pty_master::flush_to_slave () { + WaitForSingleObject (input_mutex, mutex_timeout); if (get_readahead_valid () && !(get_ttyp ()->ti.c_lflag & ICANON)) accept_input (); + ReleaseMutex (input_mutex); } void @@ -523,8 +525,6 @@ fhandler_pty_master::accept_input () DWORD bytes_left; int ret = 1; - WaitForSingleObject (input_mutex, mutex_timeout); - char *p = rabuf () + raixget (); bytes_left = eat_readahead (-1); @@ -625,7 +625,6 @@ fhandler_pty_master::accept_input () if (write_to == get_output_handle ()) SetEvent (input_available_event); /* Set input_available_event only when the data is written to cyg pipe. */ - ReleaseMutex (input_mutex); return ret; } @@ -2235,9 +2234,9 @@ fhandler_pty_master::write (const void *ptr, size_t len) { /* This accept_input() call is needed in order to transfer input which is not accepted yet to non-cygwin pipe. */ + WaitForSingleObject (input_mutex, mutex_timeout); if (get_readahead_valid ()) accept_input (); - WaitForSingleObject (input_mutex, mutex_timeout); acquire_attach_mutex (mutex_timeout); fhandler_pty_slave::transfer_input (tty::to_nat, from_master, get_ttyp (), @@ -2305,9 +2304,10 @@ fhandler_pty_master::write (const void *ptr, size_t len) get_ttyp (), input_available_event); release_attach_mutex (); } - ReleaseMutex (input_mutex); line_edit_status status = line_edit (p, len, ti, &ret); + ReleaseMutex (input_mutex); + if (status > line_edit_signalled && status != line_edit_pipe_full) ret = -1; return ret; diff --git a/winsup/cygwin/local_includes/fhandler.h b/winsup/cygwin/local_includes/fhandler.h index 661fe23..03b51a7 100644 --- a/winsup/cygwin/local_includes/fhandler.h +++ b/winsup/cygwin/local_includes/fhandler.h @@ -2572,6 +2572,14 @@ public: int tcgetpgrp (); void flush_to_slave (); void discard_input (); + void acquire_input_mutex_if_necessary (DWORD ms) + { + WaitForSingleObject (input_mutex, ms); + } + void release_input_mutex_if_necessary (void) + { + ReleaseMutex (input_mutex); + } fhandler_pty_master (void *) {} |