From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15903 invoked by alias); 7 Oct 2006 01:52:46 -0000 Received: (qmail 15848 invoked by uid 48); 7 Oct 2006 01:52:35 -0000 Date: Sat, 07 Oct 2006 01:52:00 -0000 From: "ian at airs dot com" To: glibc-bugs@sources.redhat.com Message-ID: <20061007015233.3318.ian@airs.com> Reply-To: sourceware-bugzilla@sourceware.org Subject: [Bug linuxthreads/3318] New: Overriding free which clobbers data and calls pthread_getspecific can get bad value (linuxthreads) X-Bugzilla-Reason: CC Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org X-SW-Source: 2006-10/txt/msg00031.txt.bz2 List-Id: This is the linuxthreads version of bugzilla PR 3317, which I reported for NPTL. If I override the libc free() function, and change that function to clobber some bytes of the data, and then call pthread_getspecific from that function, pthread_getspecific can return bad data. This is because __pthread_destroy_specifics frees memory before clearing the pointer to it. This happens around line 200: if (THREAD_GETMEM_NC(self, p_specific[i]) != NULL) { free(THREAD_GETMEM_NC(self, p_specific[i])); THREAD_SETMEM_NC(self, p_specific[i], NULL); } This should be rewritten to call THREAD_GETMEM_NC, then THREAD_SETMEM_NC, then free. I will attach a test case which shows the problem on i686-pc-linux-gnu using Fedora Core 4 with glibc-2.3.6-3 when setting the environment variable LD_ASSUME_KERNEL to 2.4.19. -- Summary: Overriding free which clobbers data and calls pthread_getspecific can get bad value (linuxthreads) Product: glibc Version: 2.3.6 Status: NEW Severity: normal Priority: P2 Component: linuxthreads AssignedTo: drow at false dot org ReportedBy: ian at airs dot com CC: glibc-bugs at sources dot redhat dot com http://sourceware.org/bugzilla/show_bug.cgi?id=3318 ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.