From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from conssluserg-01.nifty.com (conssluserg-01.nifty.com [210.131.2.80]) by sourceware.org (Postfix) with ESMTPS id 9A7A83858D35 for ; Sat, 15 Jan 2022 10:20:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 9A7A83858D35 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=nifty.ne.jp Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=nifty.ne.jp Received: from Express5800-S70 (ae233132.dynamic.ppp.asahi-net.or.jp [14.3.233.132]) (authenticated) by conssluserg-01.nifty.com with ESMTP id 20FAKUOP001391 for ; Sat, 15 Jan 2022 19:20:30 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-01.nifty.com 20FAKUOP001391 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.ne.jp; s=dec2015msa; t=1642242030; bh=01A110Es5Hwe7EQUjdSiNQ2exLThFEYxd6a0O2iLydM=; h=Date:From:To:Subject:From; b=E3V58+4uftTBYsqSCuMl9LSEamUl6Yd1pq9Dr/U6o0JYgnOijZQaV2nrt5VMHy1oB gv+ljQorExO8HHA1NJz4PchCnfTi7EPTL4sj7B8Bn4NxPBNXlkyQl+uMEXvbwa1aOp Ws3kPuikQyuXpxCyVBc5W7+8sn0zwaXRQx0L3plUr0qKcAagXlOmy5A9pZrOUeJCgA hCzsAuKMWJB/kS3ztzhHKthDWcUMpy3ESDMY1pjNRhnBzFsCHCT+J4bLO+nk+7U//U oZUz8Gn+uJeCW8efuxqDe/ESgUJ8MXmwWTQFq3F8BiTcoTfFR8aBrQE+MxyEl5WfgL 1lwloLO4d7EUA== X-Nifty-SrcIP: [14.3.233.132] Date: Sat, 15 Jan 2022 19:20:30 +0900 From: Takashi Yano To: cygwin@cygwin.com Subject: Segmentation fault due to double free for archetype. Message-Id: <20220115192030.de26356820d839eec3227e70@nifty.ne.jp> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-10.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jan 2022 10:20:48 -0000 Hi, I found the following test case causes segmentation fault in 32 bit cygwin. #include #include #include int main() { for (int i = 0; i < 256; i++) { printf("\r%d, %d\n", i, open("/dev/ptmx", O_RDWR | O_NOCTTY)); } return 0; } The test case results in: $ ./a.exe 0, 3 1, 4 2, 5 [...] 125, 128 126, 129 0 [main] a 50 tty_list::allocate: No pty allocated 127, -1 1549 [main] a 50 tty_list::allocate: No pty allocated 128, -1 3047 [main] a 50 tty_list::allocate: No pty allocated 129, -1 4625 [main] a 50 tty_list::allocate: No pty allocated 130, -1 6477 [main] a 50 tty_list::allocate: No pty allocated Segmentation fault (core dumped) I looked into this problem and found that this is due to free'ing archetype which was already free'ed by _cfree(). The mechanism of the problem is: 1) archetype is added to archetypes[] at line 675 in dtable.cc when trying to open pty. 2) Opening pty fails because too many ptys are opened. 3) archetype is deleted at line 444 in fhandler.cc. 4) archetype is copied from archetypes[] at line 659 in dtable.cc which is already free'ed in step 3) when trying to open pty again. 5) Opening pty fails again. 6) archetype which was already free'ed in step 3) is deleted at line 444 in fhandler.cc. I am not sure why this does not happen in 64 bit cygwin. I guess double free does not cause segfault by chance in 64 bit cygwin. I also found the following patch fixes the issue. Is this the right thing? diff --git a/winsup/cygwin/fhandler.cc b/winsup/cygwin/fhandler.cc index fc7c0422e..e51208117 100644 --- a/winsup/cygwin/fhandler.cc +++ b/winsup/cygwin/fhandler.cc @@ -441,7 +441,7 @@ fhandler_base::open_with_arch (int flags, mode_t mode) || open (flags, mode & 07777))) { if (archetype) - delete archetype; + cygheap->fdtab.delete_archetype (archetype); } else if (archetype) { -- Takashi Yano