From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bee.birch.relay.mailchannels.net (bee.birch.relay.mailchannels.net [23.83.209.14]) by sourceware.org (Postfix) with ESMTPS id 9CA12385E019 for ; Mon, 9 Aug 2021 14:52:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 9CA12385E019 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id E339B32258A; Mon, 9 Aug 2021 14:52:21 +0000 (UTC) Received: from pdx1-sub0-mail-a49.g.dreamhost.com (100-101-162-78.trex.outbound.svc.cluster.local [100.101.162.78]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id E0C3C3224CD; Mon, 9 Aug 2021 14:52:20 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a49.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.101.162.78 (trex/6.3.3); Mon, 09 Aug 2021 14:52:21 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Callous-Bored: 6f64c821275992af_1628520741629_3737982009 X-MC-Loop-Signature: 1628520741628:955288813 X-MC-Ingress-Time: 1628520741628 Received: from pdx1-sub0-mail-a49.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTP id 9BE228CE0F; Mon, 9 Aug 2021 07:52:20 -0700 (PDT) Received: from rhbox.redhat.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTPSA id 036108CE0E; Mon, 9 Aug 2021 07:52:18 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a49 From: Siddhesh Poyarekar To: libc-stable@sourceware.org Cc: Nikita Popov Subject: [committed 2.34] librt: fix NULL pointer dereference (bug 28213) Date: Mon, 9 Aug 2021 20:22:09 +0530 Message-Id: <20210809145209.383778-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-3494.0 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2021 14:52:25 -0000 From: Nikita Popov Helper thread frees copied attribute on NOTIFY_REMOVED message received from the OS kernel. Unfortunately, it fails to check whether copied attribute actually exists (data.attr !=3D NULL). This worked earlier because free() checks passed pointer before actually attempting to release corresponding memory. But __pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to __pthread_attr_destroy will result in segmentation fault. This scenario is possible if notification->sigev_notify_attributes =3D=3D NULL (which means default thread attributes should be used). Signed-off-by: Nikita Popov Reviewed-by: Siddhesh Poyarekar (cherry picked from commit b805aebd42364fe696e417808a700fdb9800c9e8) --- sysdeps/unix/sysv/linux/mq_notify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linu= x/mq_notify.c index 9799dcdaa4..eccae2e4c6 100644 --- a/sysdeps/unix/sysv/linux/mq_notify.c +++ b/sysdeps/unix/sysv/linux/mq_notify.c @@ -131,7 +131,7 @@ helper_thread (void *arg) to wait until it is done with it. */ (void) __pthread_barrier_wait (¬ify_barrier); } - else if (data.raw[NOTIFY_COOKIE_LEN - 1] =3D=3D NOTIFY_REMOVED) + else if (data.raw[NOTIFY_COOKIE_LEN - 1] =3D=3D NOTIFY_REMOVED && = data.attr !=3D NULL) { /* The only state we keep is the copy of the thread attributes. */ __pthread_attr_destroy (data.attr); --=20 2.31.1