From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pgowda.cve@gmail.com>
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com
 [IPv6:2607:f8b0:4864:20::e33])
 by sourceware.org (Postfix) with ESMTPS id DB8C5385700F
 for <libc-help@sourceware.org>; Mon, 13 Sep 2021 14:14:02 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org DB8C5385700F
Received: by mail-vs1-xe33.google.com with SMTP id c28so8532158vsh.11
 for <libc-help@sourceware.org>; Mon, 13 Sep 2021 07:14:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=eogk+561ViCgg2fMGpKBWG2WuMYIrJPuO6fehyk4TU8=;
 b=nfCBPBR//4eqJ9cdHiPv18p7/fuJylPfK8mZ93OK3suhlRb0bzuxNODEkkPQYgIo9V
 C0pjlUHYzyFX6WXj97WMWtWYtuM4fu2rMUb6c6T1hOVkzyR9BcjhCuSH7fnAPmUobsrC
 6Oymu1kpL1WZ2hy83yJALtkbOr+ZTWwBjgH5FMx30R1PYesWaw5HAzsGFbZKb3o/h7xH
 hNTl5vrUP5PKZRdw+WGGB6RherOx+JpGWt1zo8u9f2Ra22rZmglbJm9yHEBQsuzJTtLZ
 kgg6WSojrddxc+QFK4feszaZFo0jHKRBTKfqbuJsk0cn1glkQ5zkqk2Jd8/8K7IggK1e
 hz8A==
X-Gm-Message-State: AOAM5323sFMEoEmR89vkRDfANySzZ//DP6zHmd42XoaoGwjZmCkS1gty
 I+K2DG/s42MTm1ku/UpKvwN1VWkDT9HP/ACCCl1HFPAjTDM=
X-Google-Smtp-Source: ABdhPJz12FxBd3Xfb7HOadcm1weNmx2rODZ+d5+0eVq/tV5ryganxAZ151UKX6jeI6BvN8w4c67/mD1acl9pELuxhL8=
X-Received: by 2002:a67:eb56:: with SMTP id x22mr5037488vso.31.1631542442335; 
 Mon, 13 Sep 2021 07:14:02 -0700 (PDT)
MIME-Version: 1.0
From: pgowda cve <pgowda.cve@gmail.com>
Date: Mon, 13 Sep 2021 19:43:52 +0530
Message-ID: <CALY4984bu_GywXu_h1isRf1DxAX33x6kiFAHo1FNBxHYC9h=yw@mail.gmail.com>
Subject: Race observed in if_nametoindex function (not MT-Safe)
To: libc-help@sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-help@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-help mailing list <libc-help.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-help/>
List-Help: <mailto:libc-help-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 14:14:04 -0000

Hi,

The race and assert-triggering was observed in if_nametoindex function.
It calls __opensock, which contains two static variables (last_type,
last_family)
that can race, triggering an assert on line 63 of opensock.c.
The variables are set in the reverse order to which they are checked.
Since there is no synchronization between these variables, should the function
not be made MT-Safe.

The patch was originally posted at:-
https://sourceware.org/pipermail/libc-alpha/2014-January/048052.html
It mentions the function as MT-Safe but race was observed.

We may need a memory barrier (atomic_[read|write]_barrier() ? ) to
ensure that the
compiler doesn't re-order assembly instructions and has last_family be
set before last_type.

Environment
Observed during a system restart when the processes start up and
software calls if_nametoindex from multiple threads.
GLIBC was dynamically Linked.

Regards,
pgowda