| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.1 sourceware.org 9A7A83858D35 |
| Authentication-Results: | sourceware.org; |
| dmarc=fail (p=none dis=none) header.from=nifty.ne.jp | |
| Authentication-Results: | sourceware.org; spf=fail smtp.mailfrom=nifty.ne.jp |
| DKIM-Filter: | OpenDKIM Filter v2.10.3 conssluserg-01.nifty.com 20FAKUOP001391 |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.ne.jp; |
| s=dec2015msa; t=1642242030; | |
| bh=01A110Es5Hwe7EQUjdSiNQ2exLThFEYxd6a0O2iLydM=; | |
| h=Date:From:To:Subject:From; | |
| b=E3V58+4uftTBYsqSCuMl9LSEamUl6Yd1pq9Dr/U6o0JYgnOijZQaV2nrt5VMHy1oB | |
| gv+ljQorExO8HHA1NJz4PchCnfTi7EPTL4sj7B8Bn4NxPBNXlkyQl+uMEXvbwa1aOp | |
| Ws3kPuikQyuXpxCyVBc5W7+8sn0zwaXRQx0L3plUr0qKcAagXlOmy5A9pZrOUeJCgA | |
| hCzsAuKMWJB/kS3ztzhHKthDWcUMpy3ESDMY1pjNRhnBzFsCHCT+J4bLO+nk+7U//U | |
| oZUz8Gn+uJeCW8efuxqDe/ESgUJ8MXmwWTQFq3F8BiTcoTfFR8aBrQE+MxyEl5WfgL | |
| 1lwloLO4d7EUA== | |
| X-Nifty-SrcIP: | [14.3.233.132] |
| Date: | Sat, 15 Jan 2022 19:20:30 +0900 |
| From: | Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Segmentation fault due to double free for archetype. |
| Message-Id: | <20220115192030.de26356820d839eec3227e70@nifty.ne.jp> |
| X-Mailer: | Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32) |
| Mime-Version: | 1.0 |
| X-Spam-Status: | No, score=-10.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, |
| DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, | |
| SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.4 (2020-01-24) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
Hi,
I found the following test case causes segmentation fault
in 32 bit cygwin.
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
int main() {
for (int i = 0; i < 256; i++) {
printf("\r%d, %d\n", i, open("/dev/ptmx", O_RDWR | O_NOCTTY));
}
return 0;
}
The test case results in:
$ ./a.exe
0, 3
1, 4
2, 5
[...]
125, 128
126, 129
0 [main] a 50 tty_list::allocate: No pty allocated
127, -1
1549 [main] a 50 tty_list::allocate: No pty allocated
128, -1
3047 [main] a 50 tty_list::allocate: No pty allocated
129, -1
4625 [main] a 50 tty_list::allocate: No pty allocated
130, -1
6477 [main] a 50 tty_list::allocate: No pty allocated
Segmentation fault (core dumped)
I looked into this problem and found that this is due to
free'ing archetype which was already free'ed by _cfree().
The mechanism of the problem is:
1) archetype is added to archetypes[] at line 675 in dtable.cc
when trying to open pty.
2) Opening pty fails because too many ptys are opened.
3) archetype is deleted at line 444 in fhandler.cc.
4) archetype is copied from archetypes[] at line 659 in dtable.cc
which is already free'ed in step 3) when trying to open pty again.
5) Opening pty fails again.
6) archetype which was already free'ed in step 3) is deleted at
line 444 in fhandler.cc.
I am not sure why this does not happen in 64 bit cygwin.
I guess double free does not cause segfault by chance in
64 bit cygwin.
I also found the following patch fixes the issue. Is this the
right thing?
diff --git a/winsup/cygwin/fhandler.cc b/winsup/cygwin/fhandler.cc
index fc7c0422e..e51208117 100644
--- a/winsup/cygwin/fhandler.cc
+++ b/winsup/cygwin/fhandler.cc
@@ -441,7 +441,7 @@ fhandler_base::open_with_arch (int flags, mode_t mode)
|| open (flags, mode & 07777)))
{
if (archetype)
- delete archetype;
+ cygheap->fdtab.delete_archetype (archetype);
}
else if (archetype)
{
--
Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp>
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |