From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from black.elm.relay.mailchannels.net (black.elm.relay.mailchannels.net [23.83.212.19]) by sourceware.org (Postfix) with ESMTPS id C2C413892472 for ; Tue, 17 Aug 2021 13:53:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C2C413892472 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id DEE9B22664; Tue, 17 Aug 2021 13:53:36 +0000 (UTC) Received: from pdx1-sub0-mail-a49.g.dreamhost.com (100-96-17-244.trex-nlb.outbound.svc.cluster.local [100.96.17.244]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 79F2021E07; Tue, 17 Aug 2021 13:53:35 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a49.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.17.244 (trex/6.3.3); Tue, 17 Aug 2021 13:53:36 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Eyes-Inform: 52e28a806cebba87_1629208415833_1169388388 X-MC-Loop-Signature: 1629208415833:1508218386 X-MC-Ingress-Time: 1629208415832 Received: from pdx1-sub0-mail-a49.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTP id 5D04F8CE5B; Tue, 17 Aug 2021 06:53:30 -0700 (PDT) Received: from rhbox.intra.reserved-bit.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTPSA id ABE7C8CE65; Tue, 17 Aug 2021 06:53:28 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a49 From: Siddhesh Poyarekar To: libc-stable@sourceware.org Cc: Nikita Popov Subject: [committed 2.32 1/2] librt: fix NULL pointer dereference (bug 28213) Date: Tue, 17 Aug 2021 19:23:17 +0530 Message-Id: <20210817135320.242788-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-3493.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2021 13:53:45 -0000 From: Nikita Popov Helper thread frees copied attribute on NOTIFY_REMOVED message received from the OS kernel. Unfortunately, it fails to check whether copied attribute actually exists (data.attr !=3D NULL). This worked earlier because free() checks passed pointer before actually attempting to release corresponding memory. But __pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to __pthread_attr_destroy will result in segmentation fault. This scenario is possible if notification->sigev_notify_attributes =3D=3D NULL (which means default thread attributes should be used). Signed-off-by: Nikita Popov Reviewed-by: Siddhesh Poyarekar (cherry picked from commit b805aebd42364fe696e417808a700fdb9800c9e8) --- sysdeps/unix/sysv/linux/mq_notify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linu= x/mq_notify.c index b5a903c3a2..2bb98172c8 100644 --- a/sysdeps/unix/sysv/linux/mq_notify.c +++ b/sysdeps/unix/sysv/linux/mq_notify.c @@ -132,7 +132,7 @@ helper_thread (void *arg) to wait until it is done with it. */ (void) __pthread_barrier_wait (¬ify_barrier); } - else if (data.raw[NOTIFY_COOKIE_LEN - 1] =3D=3D NOTIFY_REMOVED) + else if (data.raw[NOTIFY_COOKIE_LEN - 1] =3D=3D NOTIFY_REMOVED && = data.attr !=3D NULL) { /* The only state we keep is the copy of the thread attributes. */ pthread_attr_destroy (data.attr); --=20 2.31.1