From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/5868
Path: news.gmane.org!not-for-mail
From: Rich Felker <dalias@libc.org>
Newsgroups: gmane.linux.lib.musl.general
Subject: Test case for 'false ownership' of mutex via TID reuse
Date: Sat, 16 Aug 2014 19:06:11 -0400
Message-ID: <20140816230611.GA1241@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q"
X-Trace: ger.gmane.org 1408230392 15637 80.91.229.3 (16 Aug 2014 23:06:32 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 16 Aug 2014 23:06:32 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-5874-gllmg-musl=m.gmane.org@lists.openwall.com Sun Aug 17 01:06:26 2014
Return-path: <musl-return-5874-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-5874-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1XIn3K-00020H-IM
	for gllmg-musl@plane.gmane.org; Sun, 17 Aug 2014 01:06:26 +0200
Original-Received: (qmail 4083 invoked by uid 550); 16 Aug 2014 23:06:24 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 4075 invoked from network); 16 Aug 2014 23:06:24 -0000
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Original-Sender: Rich Felker <dalias@aerifal.cx>
Xref: news.gmane.org gmane.linux.lib.musl.general:5868
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/5868>


--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The attached test case exhibits a bug I'm about to fix in musl, and
which also exists in glibc, whereby happening to get the same TID as a
previous mutex owner who exited with the mutex locked allows the new
thread to unlock the mutex. See also:

http://austingroupbugs.net/view.php?id=755

Sadly it's rather slow and impractical to add to libc-test. I'm not
sure if it's possible to run it in a container with a smaller pid/tid
space to get the reuse to happen sooner. It can also have false
negatives if some other process claims the tid before it gets reused
for a new thread in the test process. Ideas to make the test more
practical and reliable would be nice.

Rich

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="false_ownership_2.c"

#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>

void *f(void *p)
{
	static int init;
	static pthread_mutex_t m;
	pthread_mutexattr_t ma;
	if (!init) {
		init = 1;
		pthread_mutexattr_init(&ma);
		pthread_mutexattr_settype(&ma, PTHREAD_MUTEX_ERRORCHECK);
		pthread_mutex_init(&m, &ma);
		pthread_mutex_lock(&m);
		pthread_mutexattr_destroy(&ma);
		return 0;
	}
	if (!pthread_mutex_unlock(&m)) {
		printf("unlocked mutex via false ownership\n");
		exit(1);
	}
	return 0;
}


int main()
{
	int i;
	pthread_t td;
	for (i=0; i<100000; i++) {
		pthread_create(&td, 0, f, 0);
		pthread_join(td, 0);
	}
	return 0;
}

--ikeVEW9yuYc//A+q--