public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory
@ 2011-07-11 15:40 dlbulk-sourcesredhat at yahoo dot com
2011-07-12 20:58 ` [Bug libc/12981] " ppluzhnikov at google dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: dlbulk-sourcesredhat at yahoo dot com @ 2011-07-11 15:40 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12981
Summary: race in aio handle_fildes_io corrupts user memory
Product: glibc
Version: 2.14
Status: NEW
Severity: critical
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: dlbulk-sourcesredhat@yahoo.com
sysdeps/pthread/aio_misc.c:
603 if (aiocbp->aiocb.__return_value == -1)
604 aiocbp->aiocb.__error_code = errno;
605 else
606 aiocbp->aiocb.__error_code = 0;
607
608 /* Send the signal to notify about finished processing of the
609 request. */
610 __aio_notify (runp);
Once aiocb.__error_code is set, a user thread could be polling aio_error and
aio_return to process the completed io. aiocbp could be freed in this process.
However, __aio_notify dereferences and modifies this memory:
sysdeps/pthread/aio_notify.c:
128 #ifdef BROKEN_THREAD_SIGNALS
129 if (__aio_notify_only (&aiocbp->aio_sigevent, req->caller_pid) != 0)
130 #else
131 if (__aio_notify_only (&aiocbp->aio_sigevent) != 0)
132 #endif
133 {
134 /* XXX What shall we do if already an error is set by
135 read/write/fsync? */
136 aiocbp->__error_code = errno;
137 aiocbp->__return_value = -1;
138 }
To fix this race, __aio_notify should be skipped if
aiocbp->aio_sigevent.sigev_notify is SIGEV_NONE.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/12981] race in aio handle_fildes_io corrupts user memory
2011-07-11 15:40 [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory dlbulk-sourcesredhat at yahoo dot com
@ 2011-07-12 20:58 ` ppluzhnikov at google dot com
2011-07-19 6:15 ` renegat.nospam at gmail dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: ppluzhnikov at google dot com @ 2011-07-12 20:58 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12981
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot
| |com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/12981] race in aio handle_fildes_io corrupts user memory
2011-07-11 15:40 [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory dlbulk-sourcesredhat at yahoo dot com
2011-07-12 20:58 ` [Bug libc/12981] " ppluzhnikov at google dot com
@ 2011-07-19 6:15 ` renegat.nospam at gmail dot com
2012-12-19 10:41 ` schwab@linux-m68k.org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: renegat.nospam at gmail dot com @ 2011-07-19 6:15 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12981
renegat.nospam at gmail dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |renegat.nospam at gmail dot
| |com
--- Comment #1 from renegat.nospam at gmail dot com 2011-07-19 06:14:12 UTC ---
The call to __aio_notify() should not be skipped, because even if the request
itself requires no notification, it could be associated with a waitlist that is
processed within __aio_notify(), if the request is part of an asynchronous
'lio_listio' operation.
Suggestions to fix this bug:
- add additional parameter 'int error_code' to interface of __aio_notify()
- at start of __aio_notify():
1. save the value of field 'aio_sigevent.sigev_notify' to new local
variable 'int notify'
2. insert a read memory barrier afterwards
3. assign aiocb field '__error_code' to value of parameter error_code
4. skip call to __aio_notify_only() if notify is SIGEV_NONE
- change the (only two) calls to __aio_notify() to pass the error code
and remove previous assignment
or
- add new field 'int sigev_notify' to 'struct requestlist'
- within __aio_enqueue_request(): assign it with value of
'aio_sigevent.sigev_notify'
- within __aio_notify(): skip call to __aio_notify_only() if
req->sigev_notify is SIGEV_NONE
There is also a race condition (only minor bug) within aio_cancel(): because a
user thread different from that who called aio_cancel() may poll aio_error()
and as soon as the return value is ECANCELED this thread can call aio_return(),
which may return a value other than -1 as required by POSIX standard.
'sysdeps/pthread/aio_cancel.c':
int
aio_cancel (fildes, aiocbp)
int fildes;
struct aiocb *aiocbp;
{
...
req->aiocbp->aiocb.__error_code = ECANCELED;
req->aiocbp->aiocb.__return_value = -1;
__aio_notify (req);
...
}
Bug fixes here:
If the first bug fix is chosen above it will fix this bug automatically by
moving the assignment of '__error_code' within __aio_notify(), in the other
case: swap the two assignments and insert a write memory barrier in-between.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/12981] race in aio handle_fildes_io corrupts user memory
2011-07-11 15:40 [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory dlbulk-sourcesredhat at yahoo dot com
2011-07-12 20:58 ` [Bug libc/12981] " ppluzhnikov at google dot com
2011-07-19 6:15 ` renegat.nospam at gmail dot com
@ 2012-12-19 10:41 ` schwab@linux-m68k.org
2014-06-27 12:56 ` fweimer at redhat dot com
2015-08-27 22:06 ` [Bug librt/12981] " jsm28 at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: schwab@linux-m68k.org @ 2012-12-19 10:41 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12981
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|drepper.fsp at gmail dot |unassigned at sourceware
|com |dot org
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/12981] race in aio handle_fildes_io corrupts user memory
2011-07-11 15:40 [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory dlbulk-sourcesredhat at yahoo dot com
` (2 preceding siblings ...)
2012-12-19 10:41 ` schwab@linux-m68k.org
@ 2014-06-27 12:56 ` fweimer at redhat dot com
2015-08-27 22:06 ` [Bug librt/12981] " jsm28 at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2014-06-27 12:56 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12981
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug librt/12981] race in aio handle_fildes_io corrupts user memory
2011-07-11 15:40 [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory dlbulk-sourcesredhat at yahoo dot com
` (3 preceding siblings ...)
2014-06-27 12:56 ` fweimer at redhat dot com
@ 2015-08-27 22:06 ` jsm28 at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-08-27 22:06 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12981
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |librt
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-08-27 22:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-11 15:40 [Bug libc/12981] New: race in aio handle_fildes_io corrupts user memory dlbulk-sourcesredhat at yahoo dot com
2011-07-12 20:58 ` [Bug libc/12981] " ppluzhnikov at google dot com
2011-07-19 6:15 ` renegat.nospam at gmail dot com
2012-12-19 10:41 ` schwab@linux-m68k.org
2014-06-27 12:56 ` fweimer at redhat dot com
2015-08-27 22:06 ` [Bug librt/12981] " jsm28 at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).