From: Rich Felker <dalias@aerifal.cx>
To: musl@lists.openwall.com
Subject: stdio self-synchronized destruction: does it need fixing?
Date: Mon, 10 Dec 2012 13:05:09 -0500 [thread overview]
Message-ID: <20121210180508.GA2313@brightrain.aerifal.cx> (raw)
Hi all,
Question about an issue that seems purely theoretical:
self-synchronized destruction of stdio FILEs. Does anything need to be
fixed?
The basic self-synchronized destruction scenario that affects all
synchronization primitives is: Thread A is waiting to acquire the
resource with the knowledge that there is presently at most one other
thread using it. Thread B releases the lock, then checks to see if
there are any waiters to wake up. But between these two steps, it's
possible that thread A already woke up and destroyed the object, in
which case, reading the waiters field is an invalid read.
glibc has a number of such bugs, but I fixed most of them in musl a
long time ago. (Note that this is a race condition that takes
somewhere on the order of years to hit, unless you artificially poke
at the timing; that's why it doesn't get much attention.) Anyway, I
recently realized that musl still has the issue for stdio FILE
streams. If thread B is holding a lock with flockfile and thread A
calls fclose on the locked stream, it's possible that when thread B
unlocks the stream, thread A gets to free it before thread B can check
to see if there are waiters that need to be woken.
"Fixing" the issue would not be too hard, but since it's nontrivial,
I'd like to consider whether the fix is actually necessary. Unlike
mutexes or semaphores, FILEs do not exist in application-controlled
memory. The allocation of FILE structues is always performed by libc,
and always happens via malloc with a small-size allocation, which
means the memory is managed as part of the heap and never unmapped
once it's mapped. Thus, as far as I can tell, the worst that can
happen is a read-only access to memory no longer owned by the FILE,
but that's still valid, and in this case, it doesn't matter whether a
wakeup futex event is generated, since there can be no waiters;
spurious wakeup events are harmless here.
Any thoughts by others on the matter?
Rich
next reply other threads:[~2012-12-10 18:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-10 18:05 Rich Felker [this message]
2012-12-10 22:57 ` Szabolcs Nagy
2012-12-10 23:21 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121210180508.GA2313@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).