From patchwork Mon Aug  9 12:25:33 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?=
 <npv1310@gmail.com>
X-Patchwork-Id: 44608
X-Patchwork-Delegate: siddhesh@gotplt.org
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id E9BF0381DCF5
	for <patchwork@sourceware.org>; Mon,  9 Aug 2021 12:26:07 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E9BF0381DCF5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1628511967;
	bh=mcDum7E+ng5eHFr0mr+LQ8pGct8zWmNT252e+/2seqE=;
	h=Date:Subject:To:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=go5mJtPPdQT4dwcr9gww4JL+SntvCHEuE42awTqtkZ+56y+dPaiJvV2HQKcR9YXb1
	 A4rZuS+Nv40Xrl8Ydw1h12oHwVbQUGzaw0JAdhABVdRlhPIRF93X/ThJRUT+m0/KWP
	 tGZ+1XhPCl9x4Z4aIO5nMiC6jyxSvEDNUlHYzcXc=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com
 [IPv6:2a00:1450:4864:20::132])
 by sourceware.org (Postfix) with ESMTPS id 6F8A43858C27
 for <libc-alpha@sourceware.org>; Mon,  9 Aug 2021 12:25:45 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6F8A43858C27
Received: by mail-lf1-x132.google.com with SMTP id w20so6856585lfu.7
 for <libc-alpha@sourceware.org>; Mon, 09 Aug 2021 05:25:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=mcDum7E+ng5eHFr0mr+LQ8pGct8zWmNT252e+/2seqE=;
 b=LSGBdzZeOvRk20K+t01mIM9epmuiLhcvWdbZsu9zZYHG+G+C2YkVRWC836BMnmRjHF
 Ohb54BD+4KOQ+TgdJ6uLXiK8zedYreSwyGRgVvimRukO8oc2YE3wWy+B+IevvcSETOxt
 jNao9bfexLXS2R+utdd0GQOycYWFdsm7Tk/9JTaaCNvzg47m1V2iyJ9aT/djrClSKtQ/
 noZMBWMIzUCrr8CYW4qEKqn6yNnlmtU8qZB92darpVQn79mkRYldM8F5ZoodizLexx2o
 rX9dTGrNQpV8S60tRvt0dac9IbQ2KrFR0asFxlpg0gkBhIHuGFHmIv8USMTSQZSuDcaz
 245g==
X-Gm-Message-State: AOAM530VjpRnovVeq3v21tvXFC116LcdY3FUELoCQbEc60LTWbPf34A+
 ZCtpjiGngaYlpNDMYdHDbzyOpmNrIHtoahbB3oUHbZJC
X-Google-Smtp-Source: 
 ABdhPJxRxfCt/3I8CqrxhTiX7ma35Tm3O1DOVtenHcSbGTR9zQwfI1uaAnKWhol7koC+jML3LNJs5aVHEicLVNIIopU=
X-Received: by 2002:a05:6512:784:: with SMTP id
 x4mr13576856lfr.528.1628511944179;
 Mon, 09 Aug 2021 05:25:44 -0700 (PDT)
MIME-Version: 1.0
Date: Mon, 9 Aug 2021 17:25:33 +0500
Message-ID: 
 <CA+cA0PA3mNB=QW_oSd2BAuRsr=6Hmt1bt61kanQ=_vcN4ygeYQ@mail.gmail.com>
Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
To: libc-alpha@sourceware.org
X-Spam-Status: No, score=-11.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT,
 FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: 
 =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LIgdmlhIExpYmMtYWxwaGE=?=
 <libc-alpha@sourceware.org>
From: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?= <npv1310@gmail.com>
Reply-To: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?= <npv1310@gmail.com>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>


From c69f990e356dd8e756b0025e026d59db5af6e059 Mon Sep 17 00:00:00 2001
From: Nikita Popov <npv1310@gmail.com>
Date: Mon, 9 Aug 2021 17:15:52 +0500
Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
To: libc-alpha@sourceware.org

Helper thread frees copied attribute on NOTIFY_REMOVED message received from the OS kernel. Unfortunately, it fails to check whether copied attribute actually exists (data.attr != NULL). This worked earlier because free() checks passed pointer before actually attempting to release corresponding memory. But __pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to __pthread_attr_destroy will result in segmentation fault. This scenario is possible if notification->sigev_notify_attributes == NULL (which means default thread attributes should be used).
---
 sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
index 9799dcdaa4..eccae2e4c6 100644
--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
@@ -131,7 +131,7 @@ helper_thread (void *arg)
 	       to wait until it is done with it.  */
 	    (void) __pthread_barrier_wait (&notify_barrier);
 	}
-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
 	{
 	  /* The only state we keep is the copy of the thread attributes.  */
 	  __pthread_attr_destroy (data.attr);
-- 
2.17.1