diff mbox series

librt: fix NULL pointer dereference (bug 28213)

Message ID	CA+cA0PA3mNB=QW_oSd2BAuRsr=6Hmt1bt61kanQ=_vcN4ygeYQ@mail.gmail.com
State	Committed
Delegated to:	Siddhesh Poyarekar
Headers	DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6F8A43858C27 MIME-Version: 1.0 Date: Mon, 9 Aug 2021 17:25:33 +0500 Message-ID: <CA+cA0PA3mNB=QW_oSd2BAuRsr=6Hmt1bt61kanQ=_vcN4ygeYQ@mail.gmail.com> Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213) To: libc-alpha@sourceware.org Content-Type: multipart/mixed; boundary="000000000000f21b5505c91f7ba7" Precedence: list From: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LIgdmlhIExpYmMtYWxwaGE=?= <libc-alpha@sourceware.org> Reply-To: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?= <npv1310@gmail.com> Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
Series	librt: fix NULL pointer dereference (bug 28213) \| librt: fix NULL pointer dereference (bug 28213)

Checks

Context	Check	Description
dj/TryBot-apply_patch	success	Patch applied to master at the time it was sent
dj/TryBot-32bit	success	Build for i686

Commit Message

Никита Попов Aug. 9, 2021, 12:25 p.m. UTC

Comments

Siddhesh Poyarekar Aug. 9, 2021, 1:21 p.m. UTC | #1

On 8/9/21 5:55 PM, Никита Попов via Libc-alpha wrote:
> Helper thread frees copied attribute on NOTIFY_REMOVED message received from the OS kernel. Unfortunately, it fails to check whether copied attribute actually exists (data.attr != NULL). This worked earlier because free() checks passed pointer before actually attempting to release corresponding memory. But __pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to __pthread_attr_destroy will result in segmentation fault. This scenario is possible if notification->sigev_notify_attributes == NULL (which means default thread attributes should be used).

Thank you, the fix looks good to me.  Do you have a test case to go with it?

Thanks,
Siddhesh

Florian Weimer Aug. 9, 2021, 1:27 p.m. UTC | #2

* Siddhesh Poyarekar:

> On 8/9/21 5:55 PM, Никита Попов via Libc-alpha wrote:
>> Helper thread frees copied attribute on NOTIFY_REMOVED message received from the OS kernel. Unfortunately, it fails to check whether copied attribute actually exists (data.attr != NULL). This worked earlier because free() checks passed pointer before actually attempting to release corresponding memory. But __pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to __pthread_attr_destroy will result in segmentation fault. This scenario is possible if notification->sigev_notify_attributes == NULL (which means default thread attributes should be used).
>
> Thank you, the fix looks good to me.  Do you have a test case to go with it?

Siddhesh, if you are going to push this, please line-wrap the commit
message before doing so.

Thanks,
Florian

Siddhesh Poyarekar Aug. 9, 2021, 1:32 p.m. UTC | #3

On 8/9/21 6:51 PM, Siddhesh Poyarekar wrote:
> On 8/9/21 5:55 PM, Никита Попов via Libc-alpha wrote:
>> Helper thread frees copied attribute on NOTIFY_REMOVED message 
>> received from the OS kernel. Unfortunately, it fails to check whether 
>> copied attribute actually exists (data.attr != NULL). This worked 
>> earlier because free() checks passed pointer before actually 
>> attempting to release corresponding memory. But __pthread_attr_destroy 
>> assumes pointer is not NULL. So passing NULL pointer to 
>> __pthread_attr_destroy will result in segmentation fault. This 
>> scenario is possible if notification->sigev_notify_attributes == NULL 
>> (which means default thread attributes should be used).
> 
> Thank you, the fix looks good to me.  Do you have a test case to go with 
> it?

Also, I don't know if you have an FSF copyright assignment, but it's no 
longer necessary.  Please confirm that you're the original author and 
are authorized to contribute this patch by adding a DCO, i.e. add a 
Signed-off-by to indicate that.  See also:

https://developercertificate.org/

Thanks,
Siddhesh

Никита Попов Aug. 9, 2021, 1:45 p.m. UTC | #4

Thanks for the feedback. Yes, I confirm that I'm the original author
of this patch. Here is the adjusted version. If necessary, I can write
proof-of-concept and attach it here.

пн, 9 авг. 2021 г. в 18:32, Siddhesh Poyarekar <siddhesh@gotplt.org>:
>
> On 8/9/21 6:51 PM, Siddhesh Poyarekar wrote:
> > On 8/9/21 5:55 PM, Никита Попов via Libc-alpha wrote:
> >> Helper thread frees copied attribute on NOTIFY_REMOVED message
> >> received from the OS kernel. Unfortunately, it fails to check whether
> >> copied attribute actually exists (data.attr != NULL). This worked
> >> earlier because free() checks passed pointer before actually
> >> attempting to release corresponding memory. But __pthread_attr_destroy
> >> assumes pointer is not NULL. So passing NULL pointer to
> >> __pthread_attr_destroy will result in segmentation fault. This
> >> scenario is possible if notification->sigev_notify_attributes == NULL
> >> (which means default thread attributes should be used).
> >
> > Thank you, the fix looks good to me.  Do you have a test case to go with
> > it?
>
> Also, I don't know if you have an FSF copyright assignment, but it's no
> longer necessary.  Please confirm that you're the original author and
> are authorized to contribute this patch by adding a DCO, i.e. add a
> Signed-off-by to indicate that.  See also:
>
> https://developercertificate.org/
>
> Thanks,
> Siddhesh

Siddhesh Poyarekar Aug. 9, 2021, 2:35 p.m. UTC | #5

On 8/9/21 7:15 PM, Никита Попов via Libc-alpha wrote:
> Thanks for the feedback. Yes, I confirm that I'm the original author
> of this patch. Here is the adjusted version. If necessary, I can write
> proof-of-concept and attach it here.

If the PoC is deterministic, it would be useful as a test case[1] to 
protect from future regressions.

Thanks,
Siddhesh

[1] https://sourceware.org/glibc/wiki/Testing/Testsuite

Siddhesh Poyarekar Aug. 9, 2021, 2:50 p.m. UTC | #6

On 8/9/21 7:15 PM, Никита Попов via Libc-alpha wrote:
> Thanks for the feedback. Yes, I confirm that I'm the original author
> of this patch. Here is the adjusted version. If necessary, I can write
> proof-of-concept and attach it here.

I have pushed your patch now, thanks again.  We can push the test as a 
separate patch if it is deterministic.

Thanks,
Siddhesh

diff mbox series

Patch

From c69f990e356dd8e756b0025e026d59db5af6e059 Mon Sep 17 00:00:00 2001
From: Nikita Popov <npv1310@gmail.com>
Date: Mon, 9 Aug 2021 17:15:52 +0500
Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
To: libc-alpha@sourceware.org

Helper thread frees copied attribute on NOTIFY_REMOVED message received from the OS kernel. Unfortunately, it fails to check whether copied attribute actually exists (data.attr != NULL). This worked earlier because free() checks passed pointer before actually attempting to release corresponding memory. But __pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to __pthread_attr_destroy will result in segmentation fault. This scenario is possible if notification->sigev_notify_attributes == NULL (which means default thread attributes should be used).
---
 sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
index 9799dcdaa4..eccae2e4c6 100644
--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
@@ -131,7 +131,7 @@  helper_thread (void *arg)
 	       to wait until it is done with it.  */
 	    (void) __pthread_barrier_wait (&notify_barrier);
 	}
-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
 	{
 	  /* The only state we keep is the copy of the thread attributes.  */
 	  __pthread_attr_destroy (data.attr);
-- 
2.17.1