From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tyan0@sourceware.org>
Received: by sourceware.org (Postfix, from userid 7868)
	id 2100C3857437; Fri,  4 Aug 2023 08:58:32 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2100C3857437
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1691139512;
	bh=acQj39qwArP018F5sUfOXO63pkWb18KD1qyAC5tYwxM=;
	h=From:To:Subject:Date:From;
	b=SfhyPNCZTfg04lVzf5WyJo3KVaJB2TcPCwZHyISO8ZSHTiu/RusNeyFQyLCnJxzfy
	 qZHsHsH3+cxcjObKuuBYpRp2HZXvjjgVl0w26bqw/SUN2iTmnxLaWDX5hQmJdnipW3
	 4sIqSv8Awa6BhuTtJ+r+Zh/DK1r00CDZ6zEu0ynM=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Takashi Yano <tyan0@sourceware.org>
To: cygwin-cvs@sourceware.org
Subject: [newlib-cygwin/cygwin-3_4-branch] Cygwin: pty: Fix thread safety of readahead buffer handling in pty master.
X-Act-Checkin: newlib-cygwin
X-Git-Author: Takashi Yano <takashi.yano@nifty.ne.jp>
X-Git-Refname: refs/heads/cygwin-3_4-branch
X-Git-Oldrev: 5259a3eee8fef35a3e11e7f447d01089ec9963dd
X-Git-Newrev: d2354ee412391111f3cb7408a10d9a6af72fe048
Message-Id: <20230804085832.2100C3857437@sourceware.org>
Date: Fri,  4 Aug 2023 08:58:32 +0000 (GMT)
List-Id: <cygwin-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=3Dnewlib-cygwin.git;h=3Dd2354ee4123=
91111f3cb7408a10d9a6af72fe048

commit d2354ee412391111f3cb7408a10d9a6af72fe048
Author: Takashi Yano <takashi.yano@nifty.ne.jp>
Date:   Fri Aug 4 17:45:34 2023 +0900

    Cygwin: pty: Fix thread safety of readahead buffer handling in pty mast=
er.
   =20
    Previously, though readahead buffer handling in pty master was not
    fully thread-safe, accept_input() was called from peek_pipe() thread
    in select.cc. This caused the problem reported in:
    https://cygwin.com/pipermail/cygwin/2023-July/253984.html
   =20
    The mechanism of the problem is:
    1) accept_input() which is called from peek_pipe() thread calls
       eat_readahead(-1) before reading readahead buffer. This allows
       writing to the readahead buffer from another (main) thread.
    2) The main thread calls fhandler_pty_master::write() just after
       eat_readahead(-1) was called and before reading the readahead
       buffer by accept_input() called from peek_pipe() thread. This
       overwrites the readahead buffer.
    3) The read result from readahead buffer which was overwritten is
       sent to the slave.
   =20
    This patch makes readahead buffer handling fully thread-safe using
    input_mutex to resolve this issue.
   =20
    Fixes: 7b03b0d8cee0 ("select.cc (peek_pipe): Call flush_to_slave whenev=
er we're checking for a pty master.")
    Reported-by: Thomas Wolff <towo@towo.net>
    Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>

Diff:
---
 winsup/cygwin/fhandler/pty.cc           | 10 +++++-----
 winsup/cygwin/local_includes/fhandler.h |  8 ++++++++
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/winsup/cygwin/fhandler/pty.cc b/winsup/cygwin/fhandler/pty.cc
index bb34d1006..e9d9b351d 100644
--- a/winsup/cygwin/fhandler/pty.cc
+++ b/winsup/cygwin/fhandler/pty.cc
@@ -436,8 +436,10 @@ static int osi;
 void
 fhandler_pty_master::flush_to_slave ()
 {
+  WaitForSingleObject (input_mutex, mutex_timeout);
   if (get_readahead_valid () && !(get_ttyp ()->ti.c_lflag & ICANON))
     accept_input ();
+  ReleaseMutex (input_mutex);
 }
=20
 void
@@ -523,8 +525,6 @@ fhandler_pty_master::accept_input ()
   DWORD bytes_left;
   int ret =3D 1;
=20
-  WaitForSingleObject (input_mutex, mutex_timeout);
-
   char *p =3D rabuf () + raixget ();
   bytes_left =3D eat_readahead (-1);
=20
@@ -626,7 +626,6 @@ fhandler_pty_master::accept_input ()
   if (write_to =3D=3D get_output_handle ())
     SetEvent (input_available_event); /* Set input_available_event only wh=
en
 					 the data is written to cyg pipe. */
-  ReleaseMutex (input_mutex);
   return ret;
 }
=20
@@ -2235,9 +2234,9 @@ fhandler_pty_master::write (const void *ptr, size_t l=
en)
 	    {
 	      /* This accept_input() call is needed in order to transfer input
 		 which is not accepted yet to non-cygwin pipe. */
+	      WaitForSingleObject (input_mutex, mutex_timeout);
 	      if (get_readahead_valid ())
 		accept_input ();
-	      WaitForSingleObject (input_mutex, mutex_timeout);
 	      acquire_attach_mutex (mutex_timeout);
 	      fhandler_pty_slave::transfer_input (tty::to_nat, from_master,
 						  get_ttyp (),
@@ -2305,9 +2304,10 @@ fhandler_pty_master::write (const void *ptr, size_t =
len)
 					  get_ttyp (), input_available_event);
       release_attach_mutex ();
     }
-  ReleaseMutex (input_mutex);
=20
   line_edit_status status =3D line_edit (p, len, ti, &ret);
+  ReleaseMutex (input_mutex);
+
   if (status > line_edit_signalled && status !=3D line_edit_pipe_full)
     ret =3D -1;
   return ret;
diff --git a/winsup/cygwin/local_includes/fhandler.h b/winsup/cygwin/local_=
includes/fhandler.h
index e7315ae16..5619e2289 100644
--- a/winsup/cygwin/local_includes/fhandler.h
+++ b/winsup/cygwin/local_includes/fhandler.h
@@ -2550,6 +2550,14 @@ public:
   int tcgetpgrp ();
   void flush_to_slave ();
   void discard_input ();
+  void acquire_input_mutex_if_necessary (DWORD ms)
+  {
+    WaitForSingleObject (input_mutex, ms);
+  }
+  void release_input_mutex_if_necessary (void)
+  {
+    ReleaseMutex (input_mutex);
+  }
=20
   fhandler_pty_master (void *) {}