diff options
| author | Adrian-CJ Hung <adrian-cj.hung@mediatek.com> | 2019-04-03 10:39:15 +0800 |
|---|---|---|
| committer | Elliott Hughes <enh@google.com> | 2019-04-04 12:49:33 -0700 |
| commit | 62bb17a8900b6724b3019101a534d67449c0b681 (patch) | |
| tree | fb0352ee43c05afbba9daba93ae45a77dc8582b8 /libc/malloc_debug/malloc_debug.cpp | |
| parent | 20a0001e05cb84c03076021ecf4cbf3b28bda3f8 (diff) | |
Workaround potential access to unmapped stack
Issue:
Process is crashed near the end (startup_handshake_lock.unlock()) in
pthread_create().
The newly created child thread passes this handshake_lock unexpectedly
=> its stack is unmapped & its associated pthread_internal_t data
structure can’t be accessed.
Analysis:
The created child thread should be blocked by startup_handshake_lock.lock()
and enter __futex_wait_ex()
But if the parent thread is in the middle of startup_handshake_lock.unlock():
void unlock() {
if (atomic_exchange_explicit(&state, Unlocked, memory_order_seq_cst) == LockedWithWaiter) { // => the state is modified to Unlocked
// (a) if the child thread is back to running and pass the while() check in Lock::lock()
// (b) the child thread executes its start_routine and then pthread_exit
// (c) the stack of the child thread (where its pthread_internal_t (so the startup_handshake_lock) is located) will be unmapped
__futex_wake_ex(&state, process_shared, 1); // => when the parent thread is back to running
// the “state” & “process_shared” of startup_handshake_lock can’t be accessed (unmapped)
// so the process will be crashed
}
}
Bug: 129744706
Test: Monkey
(cherry picked from commit 8c1a14d4f358a8135e0c0632da6d40c37192c0c2)
Change-Id: I88f3e1f205f802ece751aacd63fe7d3cc56f2a5f
Diffstat (limited to 'libc/malloc_debug/malloc_debug.cpp')
0 files changed, 0 insertions, 0 deletions