From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-cvs-return-13829-listarch-cygwin-cvs=sources.redhat.com@cygwin.com>
Received: (qmail 66353 invoked by alias); 22 Jan 2019 15:38:41 -0000
Mailing-List: contact cygwin-cvs-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin-cvs.cygwin.com>
List-Subscribe: <mailto:cygwin-cvs-subscribe@cygwin.com>
List-Post: <mailto:cygwin-cvs@cygwin.com>
List-Help: <mailto:cygwin-cvs-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-cvs-owner@cygwin.com
Received: (qmail 66239 invoked by uid 9078); 22 Jan 2019 15:38:40 -0000
Date: Tue, 22 Jan 2019 15:38:00 -0000
Message-ID: <20190122153840.66238.qmail@sourceware.org>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Corinna Vinschen <corinna@sourceware.org>
To: cygwin-cvs@sourceware.org
Subject: [newlib-cygwin] Cygwin: posix timers: allocate timer_tracker on
 system heap.
X-Act-Checkin: newlib-cygwin
X-Git-Author: Corinna Vinschen <corinna@vinschen.de>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 6c44af8179f71a4355659008e1a58c793171e17d
X-Git-Newrev: 83c51fffe6bad36a7143c30946ac5445f9ca4c56
X-SW-Source: 2019-q1/txt/msg00088.txt.bz2

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=83c51fffe6bad36a7143c30946ac5445f9ca4c56

commit 83c51fffe6bad36a7143c30946ac5445f9ca4c56
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Tue Jan 22 16:22:45 2019 +0100

    Cygwin: posix timers: allocate timer_tracker on system heap.
    
    Allocating on the cygheap would copy information of the tracker into
    the child process.  A forked child knows the timer id and could simply
    still access the (free'd but still valid) timer_tracker on the heap,
    which is dangerous and very certainly doesn't reflect POSIX semantics.
    
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/cygheap_malloc.h | 3 +--
 winsup/cygwin/posix_timer.cc   | 5 +++--
 winsup/cygwin/posix_timer.h    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/winsup/cygwin/cygheap_malloc.h b/winsup/cygwin/cygheap_malloc.h
index cd545c3..74f0bb6 100644
--- a/winsup/cygwin/cygheap_malloc.h
+++ b/winsup/cygwin/cygheap_malloc.h
@@ -34,8 +34,7 @@ enum cygheap_types
   HEAP_2_DLL,
   HEAP_MMAP,
   HEAP_2_MAX = 200,
-  HEAP_3_FHANDLER,
-  HEAP_3_TIMER
+  HEAP_3_FHANDLER
 };
 
 extern "C" {
diff --git a/winsup/cygwin/posix_timer.cc b/winsup/cygwin/posix_timer.cc
index 8651c22..e969dcc 100644
--- a/winsup/cygwin/posix_timer.cc
+++ b/winsup/cygwin/posix_timer.cc
@@ -414,10 +414,11 @@ timer_tracker::settime (int flags, const itimerspec *new_value,
   return ret;
 }
 
-/* The timers are stored on the cygheap. */
+/* The timers are stored on the system heap in order to avoid accidental
+   leaking of timer ids into the child process. */
 #define cnew(name, ...) \
   ({ \
-    void* ptr = (void*) ccalloc (HEAP_3_TIMER, 1, sizeof (name)); \
+    void* ptr = (void*) HeapAlloc (GetProcessHeap (), 0, sizeof (name)); \
     ptr ? new (ptr) name (__VA_ARGS__) : NULL; \
   })
 
diff --git a/winsup/cygwin/posix_timer.h b/winsup/cygwin/posix_timer.h
index 04a383f..f69a179 100644
--- a/winsup/cygwin/posix_timer.h
+++ b/winsup/cygwin/posix_timer.h
@@ -30,7 +30,7 @@ class timer_tracker
 
  public:
   void *operator new (size_t, void *p) __attribute__ ((nothrow)) {return p;}
-  void operator delete (void *p) { cfree (p); }
+  void operator delete (void *p) { HeapFree (GetProcessHeap (), 0, p); }
   timer_tracker (clockid_t, const sigevent *);
   ~timer_tracker ();
   inline bool is_timer_tracker () const { return magic == TT_MAGIC; }