From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from insect.birch.relay.mailchannels.net
 (insect.birch.relay.mailchannels.net [23.83.209.93])
 by sourceware.org (Postfix) with ESMTPS id E7FD73858024
 for <libc-alpha@sourceware.org>; Wed,  2 Jun 2021 01:21:53 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E7FD73858024
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 5ED205A0D7F;
 Wed,  2 Jun 2021 01:21:52 +0000 (UTC)
Received: from pdx1-sub0-mail-a34.g.dreamhost.com
 (100-96-13-97.trex.outbound.svc.cluster.local [100.96.13.97])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id C2B225A0DB0;
 Wed,  2 Jun 2021 01:21:51 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from pdx1-sub0-mail-a34.g.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384)
 by 100.96.13.97 (trex/6.2.1); Wed, 02 Jun 2021 01:21:52 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Befitting-Company: 3c78ee470efd54e5_1622596912152_2886870206
X-MC-Loop-Signature: 1622596912152:1691219379
X-MC-Ingress-Time: 1622596912152
Received: from pdx1-sub0-mail-a34.g.dreamhost.com (localhost [127.0.0.1])
 by pdx1-sub0-mail-a34.g.dreamhost.com (Postfix) with ESMTP id 886918B8DF;
 Tue,  1 Jun 2021 18:21:51 -0700 (PDT)
Received: from [192.168.1.111] (unknown [1.186.101.110])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a34.g.dreamhost.com (Postfix) with ESMTPSA id 2FC4A8B8DE;
 Tue,  1 Jun 2021 18:21:47 -0700 (PDT)
Subject: Re: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
To: Florian Weimer <fweimer@redhat.com>, libc-alpha@sourceware.org
Cc: Andreas Schwab <schwab@linux-m68k.org>
References: <87wnrd1nor.fsf@oldenburg.str.redhat.com>
X-DH-BACKEND: pdx1-sub0-mail-a34
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
Message-ID: <f46c830c-7cc9-4a6b-1f62-f62f8de7dd1e@sourceware.org>
Date: Wed, 2 Jun 2021 06:51:42 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <87wnrd1nor.fsf@oldenburg.str.redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3494.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, NICE_REPLY_A,
 RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,
 SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2021 01:21:55 -0000

On 6/1/21 11:18 PM, Florian Weimer via Libc-alpha wrote:
> __pthread_attr_copy can fail and does not initialize the attribute
> structure in that case.
> 
> If __pthread_attr_copy is never called and there is no allocated
> attribute, pthread_attr_destroy should not be called, otherwise
> there is a null pointer dereference in rt/tst-mqueue6.
> 
> Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
> ("Use __pthread_attr_copy in mq_notify (bug 27896)").
> 
> Tested on i686-linux-gnu and x86_64-linux-gnu.

Thanks, I missed that in my review.  LGTM.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

> 
> ---
>   sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++--
>   1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
> index f7ddfe5a6c..6f46d29d1d 100644
> --- a/sysdeps/unix/sysv/linux/mq_notify.c
> +++ b/sysdeps/unix/sysv/linux/mq_notify.c
> @@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
>         if (data.attr == NULL)
>   	return -1;
>   
> -      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
> +      int ret = __pthread_attr_copy (data.attr,
> +				     notification->sigev_notify_attributes);
> +      if (ret != 0)
> +	{
> +	  free (data.attr);
> +	  __set_errno (ret);
> +	  return -1;
> +	}
>       }
>   
>     /* Construct the new request.  */
> @@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
>     int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
>   
>     /* If it failed, free the allocated memory.  */
> -  if (__glibc_unlikely (retval != 0))
> +  if (retval != 0 && data.attr != NULL)
>       {
>         pthread_attr_destroy (data.attr);
>         free (data.attr);
>