Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Tue, 14 Dec 2004 18:24:33 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: tty_list::terminate() tty_master NULL pointer deference
Message-ID: <20041214172433.GG4226@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <200412140556 DOT iBE5uxBe029829 AT main DOT electric-cloud DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200412140556.iBE5uxBe029829@main.electric-cloud.com>
User-Agent: Mutt/1.4.2i

On Dec 13 21:54, Conrad W Song wrote:
> There is a race/bug between ?tty_list::allocate_tty()? and
> ?tty_list::terminate()?.? The cuprits appear to be:
> 
> 1) ?tty_list::terminate? does not hold the ?tty_mutex? before freeing a tty
> 2) ?tty::init()? does not clear ?master_pid? field as called by
> ?tty_list::terminate()?.
> 
> The result is that ?allocate_tty()? can enter quickly reusing the same PID
> as the process which used to own the master tty (for some reason Windows
> decides to recycle PIDs very quickly).? The process thinks that it is
> holding the master tty (even though the _prior_ process was terminated --
> same PID but different process), and ?tty_master? remains NULL.? Upon
> ?tty_list::terminate?, ?tty_master? is then NULL dereferenced.
> 
> I have tried fixing 'tty::init()' to zero out the 'master_pid' field, and it
> appears to solve the problem (have not checked it for other bad behavior),
> as does the workaround of using ?CYGWIN=notty?.? However, I do not believe
> that the back-to-back PID reuse is timing sensitive, so I am surprised that
> strace could not pick up the problem.  I therefore suspect a flaw in my
> analysis and am still suspicious about the need for 'tty_mutex' locking in
> 'tty_list::terminate'.? I will try to provide a reproducing test case soon.

Thanks for your analysis!  I've applied a matching patch.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/