From: Takashi Yano <takashi.yano@nifty.ne.jp>
To: cygwin@cygwin.com
Subject: Segmentation fault due to double free for archetype.
Date: Sat, 15 Jan 2022 19:20:30 +0900 [thread overview]
Message-ID: <20220115192030.de26356820d839eec3227e70@nifty.ne.jp> (raw)
Hi,
I found the following test case causes segmentation fault
in 32 bit cygwin.
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
int main() {
for (int i = 0; i < 256; i++) {
printf("\r%d, %d\n", i, open("/dev/ptmx", O_RDWR | O_NOCTTY));
}
return 0;
}
The test case results in:
$ ./a.exe
0, 3
1, 4
2, 5
[...]
125, 128
126, 129
0 [main] a 50 tty_list::allocate: No pty allocated
127, -1
1549 [main] a 50 tty_list::allocate: No pty allocated
128, -1
3047 [main] a 50 tty_list::allocate: No pty allocated
129, -1
4625 [main] a 50 tty_list::allocate: No pty allocated
130, -1
6477 [main] a 50 tty_list::allocate: No pty allocated
Segmentation fault (core dumped)
I looked into this problem and found that this is due to
free'ing archetype which was already free'ed by _cfree().
The mechanism of the problem is:
1) archetype is added to archetypes[] at line 675 in dtable.cc
when trying to open pty.
2) Opening pty fails because too many ptys are opened.
3) archetype is deleted at line 444 in fhandler.cc.
4) archetype is copied from archetypes[] at line 659 in dtable.cc
which is already free'ed in step 3) when trying to open pty again.
5) Opening pty fails again.
6) archetype which was already free'ed in step 3) is deleted at
line 444 in fhandler.cc.
I am not sure why this does not happen in 64 bit cygwin.
I guess double free does not cause segfault by chance in
64 bit cygwin.
I also found the following patch fixes the issue. Is this the
right thing?
diff --git a/winsup/cygwin/fhandler.cc b/winsup/cygwin/fhandler.cc
index fc7c0422e..e51208117 100644
--- a/winsup/cygwin/fhandler.cc
+++ b/winsup/cygwin/fhandler.cc
@@ -441,7 +441,7 @@ fhandler_base::open_with_arch (int flags, mode_t mode)
|| open (flags, mode & 07777)))
{
if (archetype)
- delete archetype;
+ cygheap->fdtab.delete_archetype (archetype);
}
else if (archetype)
{
--
Takashi Yano <takashi.yano@nifty.ne.jp>
next reply other threads:[~2022-01-15 10:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-15 10:20 Takashi Yano [this message]
2022-01-17 11:01 ` Corinna Vinschen
2022-01-17 11:41 ` Takashi Yano
2022-01-17 12:11 ` Corinna Vinschen
2022-01-17 12:48 ` Takashi Yano
2022-01-17 15:47 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220115192030.de26356820d839eec3227e70@nifty.ne.jp \
--to=takashi.yano@nifty.ne.jp \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).