From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS17314 8.43.84.0/22 X-Spam-Status: No, score=-3.3 required=3.0 tests=AWL,BAYES_00,BODY_8BITS, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, FREEMAIL_REPLYTO_END_DIGIT,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 598531F8C6 for ; Mon, 9 Aug 2021 13:45:37 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 4E76C389441B for ; Mon, 9 Aug 2021 13:45:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4E76C389441B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1628516736; bh=3XI7Zu/2DyGQ6oB7GohjJ0AjrVpUfGszEC6p0lqxEqU=; h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=ZFZ6UJAiEzAj1wKPm32ROx2A6mwH3SVGX1FA66CYos4VfsBgvrsI2YLhJ96LD+S67 6biIqO6NMwOdn7+7J0VS+ZKkbxLB3x69pHbsJXocNlEe37byLEazww6valynvHc5cI gQGzx3yhsISibUZcIE6rKA/aYLt7zWt9IqekHcZM= Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) by sourceware.org (Postfix) with ESMTPS id A9E003857832 for ; Mon, 9 Aug 2021 13:45:15 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A9E003857832 Received: by mail-lj1-x234.google.com with SMTP id m9so23698552ljp.7 for ; Mon, 09 Aug 2021 06:45:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3XI7Zu/2DyGQ6oB7GohjJ0AjrVpUfGszEC6p0lqxEqU=; b=DdufBLxE64W2RXA8r3auh6HcTa83qvx+IlJi/4/+VtETsRfqtQlxA0pFuWEFNKRrT+ qXRXJ5Glia98WMz5+jxnpB1hbpxStIzZna6hELLN670nT6+WXMEJdIKDqlQzVNjA2NLs Xq16pXi+NskhAzSgBA/K5ttf8U1s/hJbYCJ0hRYtevN0hVIayqmV7gLc/3tCd2md6YhJ woLiwvNpA+IXZ58wp/RWmTNWo5STxGhtyH0u357blEkmwoNR7BTgkw5lf2xRZJU+SYvo 4dof8P5iv+iTOkSX/oPz6E33E5wjWIVCGYzotNw2AcIKiB0TBCcua5i02wLhc7c5mvk4 e0iw== X-Gm-Message-State: AOAM530o97BEnbEvbju4NmmfqWIaE4bWDcezdPzUiNrhyOSKCYQgp1gu AkGtjhtMtQKiMeMA/kz5Ib1AI0aiXHnI4ISocG2/vPAB X-Google-Smtp-Source: ABdhPJz96BAT+9A/N/0fa1/1fQSskGI+5xJQKvSXbZ1HvN+EMiTgILpuY9XvoRP/CYq6+W+5kpRW5qfMphZsfmf0uLU= X-Received: by 2002:a2e:d1a:: with SMTP id 26mr16329240ljn.360.1628516714408; Mon, 09 Aug 2021 06:45:14 -0700 (PDT) MIME-Version: 1.0 References: <5e77e8ef-f526-045b-945f-c582f2c8144c@gotplt.org> In-Reply-To: <5e77e8ef-f526-045b-945f-c582f2c8144c@gotplt.org> Date: Mon, 9 Aug 2021 18:45:03 +0500 Message-ID: Subject: Re: [PATCH] librt: fix NULL pointer dereference (bug 28213) To: libc-alpha@sourceware.org Content-Type: multipart/mixed; boundary="00000000000046000e05c920987a" X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LIgdmlhIExpYmMtYWxwaGE=?= Reply-To: =?UTF-8?B?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?= Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" --00000000000046000e05c920987a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks for the feedback. Yes, I confirm that I'm the original author of this patch. Here is the adjusted version. If necessary, I can write proof-of-concept and attach it here. =D0=BF=D0=BD, 9 =D0=B0=D0=B2=D0=B3. 2021 =D0=B3. =D0=B2 18:32, Siddhesh Poy= arekar : > > On 8/9/21 6:51 PM, Siddhesh Poyarekar wrote: > > On 8/9/21 5:55 PM, =D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0 =D0=9F=D0=BE=D0= =BF=D0=BE=D0=B2 via Libc-alpha wrote: > >> Helper thread frees copied attribute on NOTIFY_REMOVED message > >> received from the OS kernel. Unfortunately, it fails to check whether > >> copied attribute actually exists (data.attr !=3D NULL). This worked > >> earlier because free() checks passed pointer before actually > >> attempting to release corresponding memory. But __pthread_attr_destroy > >> assumes pointer is not NULL. So passing NULL pointer to > >> __pthread_attr_destroy will result in segmentation fault. This > >> scenario is possible if notification->sigev_notify_attributes =3D=3D N= ULL > >> (which means default thread attributes should be used). > > > > Thank you, the fix looks good to me. Do you have a test case to go wit= h > > it? > > Also, I don't know if you have an FSF copyright assignment, but it's no > longer necessary. Please confirm that you're the original author and > are authorized to contribute this patch by adding a DCO, i.e. add a > Signed-off-by to indicate that. See also: > > https://developercertificate.org/ > > Thanks, > Siddhesh --00000000000046000e05c920987a Content-Type: text/x-patch; charset="US-ASCII"; name="0001-librt-fix-NULL-pointer-dereference-bug-28213.patch" Content-Disposition: attachment; filename="0001-librt-fix-NULL-pointer-dereference-bug-28213.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ks4osmhw0 RnJvbSAzY2NmNDYwMzljZTMxYzYwNDM2Nzc2NDQ2MjAyZjk5MDViZTZmZWE2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBOaWtpdGEgUG9wb3YgPG5wdjEzMTBAZ21haWwuY29tPgpEYXRl OiBNb24sIDkgQXVnIDIwMjEgMTg6Mzk6NDAgKzA1MDAKU3ViamVjdDogW1BBVENIXSBsaWJydDog Zml4IE5VTEwgcG9pbnRlciBkZXJlZmVyZW5jZSAoYnVnIDI4MjEzKQpUbzogbGliYy1hbHBoYUBz b3VyY2V3YXJlLm9yZwoKSGVscGVyIHRocmVhZCBmcmVlcyBjb3BpZWQgYXR0cmlidXRlIG9uIE5P VElGWV9SRU1PVkVEIG1lc3NhZ2UgcmVjZWl2ZWQgZnJvbSB0aGUgT1Mga2VybmVsLgpVbmZvcnR1 bmF0ZWx5LCBpdCBmYWlscyB0byBjaGVjayB3aGV0aGVyIGNvcGllZCBhdHRyaWJ1dGUgYWN0dWFs bHkgZXhpc3RzIChkYXRhLmF0dHIgIT0gTlVMTCkuClRoaXMgd29ya2VkIGVhcmxpZXIgYmVjYXVz ZSBmcmVlKCkgY2hlY2tzIHBhc3NlZCBwb2ludGVyIGJlZm9yZSBhY3R1YWxseSBhdHRlbXB0aW5n IHRvIHJlbGVhc2UgY29ycmVzcG9uZGluZyBtZW1vcnkuCkJ1dCBfX3B0aHJlYWRfYXR0cl9kZXN0 cm95IGFzc3VtZXMgcG9pbnRlciBpcyBub3QgTlVMTC4KU28gcGFzc2luZyBOVUxMIHBvaW50ZXIg dG8gX19wdGhyZWFkX2F0dHJfZGVzdHJveSB3aWxsIHJlc3VsdCBpbiBzZWdtZW50YXRpb24gZmF1 bHQuClRoaXMgc2NlbmFyaW8gaXMgcG9zc2libGUgaWYgbm90aWZpY2F0aW9uLT5zaWdldl9ub3Rp ZnlfYXR0cmlidXRlcyA9PSBOVUxMCih3aGljaCBtZWFucyBkZWZhdWx0IHRocmVhZCBhdHRyaWJ1 dGVzIHNob3VsZCBiZSB1c2VkKS4KClNpZ25lZC1vZmYtYnk6IE5pa2l0YSBQb3BvdiA8bnB2MTMx MEBnbWFpbC5jb20+Ci0tLQogc3lzZGVwcy91bml4L3N5c3YvbGludXgvbXFfbm90aWZ5LmMgfCAy ICstCiAxIGZpbGUgY2hhbmdlZCwgMSBpbnNlcnRpb24oKyksIDEgZGVsZXRpb24oLSkKCmRpZmYg LS1naXQgYS9zeXNkZXBzL3VuaXgvc3lzdi9saW51eC9tcV9ub3RpZnkuYyBiL3N5c2RlcHMvdW5p eC9zeXN2L2xpbnV4L21xX25vdGlmeS5jCmluZGV4IDk3OTlkY2RhYTQuLmVjY2FlMmU0YzYgMTAw NjQ0Ci0tLSBhL3N5c2RlcHMvdW5peC9zeXN2L2xpbnV4L21xX25vdGlmeS5jCisrKyBiL3N5c2Rl cHMvdW5peC9zeXN2L2xpbnV4L21xX25vdGlmeS5jCkBAIC0xMzEsNyArMTMxLDcgQEAgaGVscGVy X3RocmVhZCAodm9pZCAqYXJnKQogCSAgICAgICB0byB3YWl0IHVudGlsIGl0IGlzIGRvbmUgd2l0 aCBpdC4gICovCiAJICAgICh2b2lkKSBfX3B0aHJlYWRfYmFycmllcl93YWl0ICgmbm90aWZ5X2Jh cnJpZXIpOwogCX0KLSAgICAgIGVsc2UgaWYgKGRhdGEucmF3W05PVElGWV9DT09LSUVfTEVOIC0g MV0gPT0gTk9USUZZX1JFTU9WRUQpCisgICAgICBlbHNlIGlmIChkYXRhLnJhd1tOT1RJRllfQ09P S0lFX0xFTiAtIDFdID09IE5PVElGWV9SRU1PVkVEICYmIGRhdGEuYXR0ciAhPSBOVUxMKQogCXsK IAkgIC8qIFRoZSBvbmx5IHN0YXRlIHdlIGtlZXAgaXMgdGhlIGNvcHkgb2YgdGhlIHRocmVhZCBh dHRyaWJ1dGVzLiAgKi8KIAkgIF9fcHRocmVhZF9hdHRyX2Rlc3Ryb3kgKGRhdGEuYXR0cik7Ci0t IAoyLjE3LjEKCg== --00000000000046000e05c920987a--