From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <corinna-cygwin@cygwin.com>
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131])
 by sourceware.org (Postfix) with ESMTPS id 0CA843858417
 for <cygwin@cygwin.com>; Mon, 17 Jan 2022 11:01:52 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0CA843858417
Authentication-Results: sourceware.org;
 dmarc=fail (p=none dis=none) header.from=cygwin.com
Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com
Received: from calimero.vinschen.de ([24.134.7.25]) by
 mrelayeu.kundenserver.de (mreue010 [212.227.15.167]) with ESMTPSA (Nemesis)
 id 1M3D7V-1nAEBG398H-003dw6 for <cygwin@cygwin.com>; Mon, 17 Jan 2022
 12:01:51 +0100
Received: by calimero.vinschen.de (Postfix, from userid 500)
 id 3635CA807B2; Mon, 17 Jan 2022 12:01:51 +0100 (CET)
Date: Mon, 17 Jan 2022 12:01:51 +0100
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: Segmentation fault due to double free for archetype.
Message-ID: <YeVMn4MIgG+6T01I@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <20220115192030.de26356820d839eec3227e70@nifty.ne.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20220115192030.de26356820d839eec3227e70@nifty.ne.jp>
X-Provags-ID: V03:K1:IlY45USrzWrrbbcJJkmB03fQT7SM1mu/8vZlVx2eyBLd1kuLa8F
 jOBl03qGy5Jt2uX6NUeZl3FbgqFRS8ZKLkmTaLI4nTrvjtoFfX1tYm1ylal1sFvT/0yB806
 yFbB16RAxpXnBtQaAL4OIE7Yt5wC7urXvyccVhHpo7vTDazn4zUKTjj6cRhXRZf5DjTSzXq
 Wjo90rzlU+GktpE+6t/fA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:HfhA6//bZS0=:u7blqe3xGhPVlqfsqeWFiw
 nT5Ydiv92ySaWujR3X880dcApT7QhXKG9/JM/lkE83OtV/EKSwDGGNmrD5WM2pQaPMDAs8bAq
 LVM8IlV8cu2WRH18iHsHkuYdfi9JKf6V5Sap0C+J4Op4oJxp8PwG9fq5IioumrpL0GmUtg3Le
 Fe/R288bjQOp3PV11U08wQeKOF+ncqmDorQdkX2YGjCSDHlx51e9fU0bPn+TmNl/2mzFmy/ba
 3qEbJSb4nrBetbdDsALeWGLfg4U9nNYbtCd9PNQ8qtATxR+AiAyjchid5QQ+0amrZBNT+VxrI
 v79pGuKbMudfRLUvyyFxEedlcxVbJTy21kqnEgPEGQ/XfdLg48W9makY9JQLG7ciWl4Z56AUr
 b7+fQaQlAeY8/uO3xQ3/lhEbIF8T87qkvP3kg+NhYkkwPo+7JlF0ORjdbAPIaifLLrQW8GXUb
 4MJ7IKxbZuaYkic0DsOEBzTOQbZbj+jHr2RKiIIwLwzWewHVF21VIjA6Zwl+WM/5L9NphDmB0
 mbrOV1yVgcdKXubLWgBjBifZ3+Q/6mu4vzuuhLgl8KxvZskAlj7M1NTi/ztDkkjoKU7SaJE8W
 EqyMWgi9xar+5tgUQtkjrGYjxQGGtSceQfLtFz1QBPYuhC+Q8CNayearDdbNrzNT2r1vunCds
 g098+ZKJAVQzxFo3rFN1471mjORQ+9dWzU97UV0EwQ58iXgcaIF6l0lbEJR1w2MaVcqyWW2Ok
 5mFPnkDULWuSeNli
X-Spam-Status: No, score=-101.7 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_FAIL, SPF_HELO_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2022 11:01:54 -0000

On Jan 15 19:20, Takashi Yano wrote:
> Hi,
> 
> I found the following test case causes segmentation fault
> in 32 bit cygwin.
> [...]
> I looked into this problem and found that this is due to
> free'ing archetype which was already free'ed by _cfree().
> 
> The mechanism of the problem is:
> 1) archetype is added to archetypes[] at line 675 in dtable.cc
>    when trying to open pty.
> 2) Opening pty fails because too many ptys are opened.
> 3) archetype is deleted at line 444 in fhandler.cc.
> 4) archetype is copied from archetypes[] at line 659 in dtable.cc
>    which is already free'ed in step 3) when trying to open pty again.
> 5) Opening pty fails again.
> 6) archetype which was already free'ed in step 3) is deleted at
>    line 444 in fhandler.cc.
> 
> I am not sure why this does not happen in 64 bit cygwin.
> I guess double free does not cause segfault by chance in
> 64 bit cygwin.
> 
> I also found the following patch fixes the issue. Is this the
> right thing?
> 
> diff --git a/winsup/cygwin/fhandler.cc b/winsup/cygwin/fhandler.cc
> index fc7c0422e..e51208117 100644
> --- a/winsup/cygwin/fhandler.cc
> +++ b/winsup/cygwin/fhandler.cc
> @@ -441,7 +441,7 @@ fhandler_base::open_with_arch (int flags, mode_t mode)
>  	|| open (flags, mode & 07777)))
>      {
>        if (archetype)
> -	delete archetype;
> +	cygheap->fdtab.delete_archetype (archetype);
>      }
>    else if (archetype)
>      {

Good catch!  I think this is basically ok, but you have to check the
usecount, i. e.

  if (archetype && archetype_usecount (-1) == 0)
    cygheap->fdtab.delete_archetype (archetype);

Does that sound right?


Corinna