X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-3.3 required=5.0	tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,KHOP_RCVD_TRUST,RCVD_IN_DNSWL_LOW,RCVD_IN_HOSTKARMA_YE,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=google.com; s=20120113;        h=mime-version:date:message-id:subject:from:to:content-type         :x-system-of-record:x-gm-message-state;        bh=GKHqy5wMCXjc9DAXbI1N2d61pMxsIEv7q6NkPMHU0EE=;        b=RAsJRtXUC42jHsyex0AeCt7CouJrMw6keFklswyVqfvrw/tXSv92WOlBMQh8fT7DGv         t8EQVi6XgHpHd1db7hOTlQpExD463hykmzgpDGc9bo/+LdB/NFhy7Mq+i8TMeAGMP23Q         TbeEnDu9laRPkIcS5wEoCgw29DCqf6hOSmj3YWY8xrBAI7easYtBucVtnk5WtDAgMRHO         ZX2agHmfFJRMGp6Cu6Ow5lEkE2+UlJZ1RDpYtPhlh4ls/X0cn3tY52TJGEd6m/vbgdJ/         WnItfSvnXakeeCqkHttYpaGJgmD8xjNvk/T17KPjTGh40MFMTBMjmUTYj6kSKlWOfz5q         E/AQ==
MIME-Version: 1.0
Date: Wed, 15 Aug 2012 16:54:42 +0400
Message-ID: <CACgPhYpaRft6EfP6uDR34487TJ5-932cHDNyYssLg1nUSdr4Fw@mail.gmail.com>
Subject: Cygwin crashes in kill_pgrp, _pinfo truncation issue.
From: Andrey Khalyavin <halyavin AT google DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQloMyx1bWMIdkr2Xy78cqokUJP31HEj0UG2GQ3qIuoPTgC96L1NZcl13ecLlsDZsgnqHBBTYEDG1CqQu29F6Zd2tsYVdJsuJ61N/sNeV9SbMGcpPGzE3i/PMjTSZ+H2aZXw/at9HVFK0fO78wGiAEDaHz/T9M+10WVJw7TiwqGpuzQQ0YM8R1wuxcTQ8zkJQ0hs+Ei4
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

I finally got a cygwin crash dump from our build bots. It shows, that
cygwin1.dll crashes in kill_pgrp function on line:
	  (pid > 1 && p->pgid != pid) ||
where p is a pointer to _pinfo. This function enumerates all _pinfo's
and executes this line for all of them which pass p->exists() check.
In crash dump p points to _pinfo that has process_state equal to
PID_IN_USE | PID_EXECED. As far as I understand, such _pinfo's
have smaller size and so accessing pgid field leads to crash.
I found a past thread that describes very similar problem:
http://cygwin.com/ml/cygwin/2010-09/msg00390.html

We obviously need to add a check for PID_EXECED in this function. But
I'm worried that we can still have a race condition where
external process can truncate the structure just after our check.

Some ideas how to fix this race condition (if it exists):
1. Use ReadProcessMemory for memory access.
2. Move command line to the end of the structure and extend
PINFO_REDIR_SIZE to include all important fields.
3. Make proper synchronization. Not sure how it should be done in this
case. Since this is a memory mapped file, one may need
to use functions like LockFile.

Andrey Khalyavin

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple