From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12856 invoked by alias); 7 Oct 2006 01:38:24 -0000 Received: (qmail 12838 invoked by uid 48); 7 Oct 2006 01:38:16 -0000 Date: Sat, 07 Oct 2006 01:38:00 -0000 From: "ian at airs dot com" To: glibc-bugs@sources.redhat.com Message-ID: <20061007013816.3317.ian@airs.com> Reply-To: sourceware-bugzilla@sourceware.org Subject: [Bug nptl/3317] New: Overriding free which clobbers data and calls pthread_getspecific can get bad value X-Bugzilla-Reason: CC Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org X-SW-Source: 2006-10/txt/msg00029.txt.bz2 List-Id: If I override the libc free() function, and change that function to clobber some bytes of the data, and then call pthread_getspecific from that function, pthread_getspecific can return bad data. This is because __nptl_deallocate_tsd frees data before clearing the pointer to that data. This happens around line 185: /* The first block is allocated as part of the thread descriptor. */ free (level2); THREAD_SETMEM_NC (self, specific, cnt, NULL); The order of those lines should be reversed. I first noticed this bug in linuxthreads, and then discovered that NPTL had the same bug. I will file a separate bug against linuxthreads. I will attach a test case which shows the problem on i686-pc-linux-gnu using Fedora Core 4 with glibc-2.3.6-3. -- Summary: Overriding free which clobbers data and calls pthread_getspecific can get bad value Product: glibc Version: 2.3.6 Status: NEW Severity: normal Priority: P2 Component: nptl AssignedTo: drepper at redhat dot com ReportedBy: ian at airs dot com CC: glibc-bugs at sources dot redhat dot com http://sourceware.org/bugzilla/show_bug.cgi?id=3317 ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.